Researcher discovers a hidden vulnerability in the latest version of Chrome for Android which can be easily exploited by anybody

A security researcher has discovered a critical exploit in Chrome for Android which is capable of compromising virtually every version of Android smartphone and tablets running the latest Android.

Guang Gong  a security researcher from Quihoo 360 found the security vulnerability in Google’s Chrome browser for Android, which he recently presented during the MobilePwn2Own event at the PacSec security conference in Tokyo.

According to Gong, the vulnerability, if exploited, can allow the potential hacker to take the administrative control of the Android smartphone and install any malicious App or APK. While Gong has not made the inner workings of the exploit public, it is known that his vulnerability leverages JavaScript v8 to gain full administrative access to the victim’s phone.

According to Gong the bug is in the V8 JavaScript engine that comes packed with each Chrome installation. V8 is a JavaScript compiler written in C & C++, responsible for interpreting JS code fed into the browser, by converting it into machine code before executing it, gaining extra speed by doing so.

Gong demonstrated his PoC at PacSec where he used a regular Android smartphone to access a malicious link, which by leveraging the security exploit, installed another app on the phone, without any user interaction. Unlike similar Chrome exploits, the vulnerability discovered by Gong did not require chaining multiple bugs together to work or to gain root privileges.

“The impressive thing about Guang’s exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction,” PacSec organiser Dragos Ruiu told Vulture South. “As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.”

According to Register, Google security team immediately contacted Gong after his demonstration and rumors have it that the Chrome team is already getting a fix ready.  Gong may be eligible to receive an Android bug bounty reward for the vulnerability.

Also read: Top 15 Android Hacking Apps and Tools of 2016

LEAVE A REPLY

Please enter your comment!
Please enter your name here