Click to Skip Ad
Closing in...

Scary new Android exploit can take over any device in seconds

Published Nov 13th, 2015 2:23PM EST
BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

A new mobile exploit recently unveiled at the MobilePwn2Own panel at the PacSec conference this week enables an attacker to take control of any Android device via a Chrome link which unknowingly directs users to a malicious website.

Developed by Chinese security researcher Guang Gong, the full mechanics and underpinnings of the exploit weren’t revealed due to obvious security considerations. What we do know is that the exploit takes advantage of a security hole in Android’s JavaScript v8 engine.

DON’T MISS: Meet the tiny robot that walks on water, cleans pollution, and never needs to be charged

In showcasing the security vulnerability at the conference, Gong managed to take complete control of a Nexus 6 and install any applications of his choosing. The exploit took Gong three months to develop, and because it specifically targets the JavaScript v8 engine, reports indicate that the code can easily be tailored to target any Android device out on the market running the most recent version of Chrome.

“The impressive thing about Guang’s exploit is that it was one shot”, PacSec organiser Dragos Ruiu told Vulture South in remarks that were relayed by The Register.”Most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction.”

“As soon as the phone accessed the website,” Ruiu further explained, “the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.”

So what happens next?

Well, a representative from Google’s security team was naturally in attendance and he will reportedly head back to the mothership where the Android team will get busy working on a patch. As for Gong, he won a free trip to next year’s CanSecWest security conference and it’s also likely that he’ll get some cold hard cash in the form of a bug bounty reward from Google.

Yoni Heisler Contributing Writer

Yoni Heisler has been writing about Apple and the tech industry at large with over 15 years of experience. A life long expert Mac user and Apple expert, his writing has appeared in Edible Apple, Network World, MacLife, Macworld UK, and TUAW.

When not analyzing the latest happenings with Apple, Yoni enjoys catching Improv shows in Chicago, playing soccer, and cultivating new TV show addictions.