New Android exploit can hack any handset in one shot
Quihoo 360 researcher Guang Gong showcased the exploit during the recent MobilePwn2Own segment of the PacSec conference in Tokyo.
Gong discovered the vulnerability involved the manipulation of the V8 JavaScript engine and showed the weakness was present in essentially all versions of Google’s Android OS.
Worse still, as this bug was found in one of the newest Android handsets – Google’s own Nexus 6 (Project Fi version) – it suggests the problem could affect lots of phones. As long as you avoid sketchy websites and stick to the Play Store for downloads, you should be fine, but it’s always to good to keep an eye on the security landscape.
Following the Stagefright debacle, any Android phone running Chrome is now vulnerable to a new exploit that uses JavaScript v8 to gain full administrator privileges on the device.
The article quoted PacSec organizer Dragos Ruiu as saying, “The impressive thing about Guang’s exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction”.
Gong said he uncovered eight Android vulnerabilities while conducting his research, and sent a report of his findings to Google in April.
During his demo, Gong used a regular Android phone to access a malicious link, which by leveraging the security exploit, installed another app on the phone, without any user interaction.
According to Register, Google security team immediately contacted Gong after his demonstration and rumors have it that the Chrome team is already getting a fix ready. The highest prize money he could receive is $30,000, but since no extra technical details are available, this is mere speculation.