It feels like it was only yesterday that I was writing a story about malware on Coolsmartphone [it was, ed]. A security researcher from Quihoo 360, unveiled an exploit at the PacSec conference in Tokyo by Guang Gong. However, most of the details have not been fully released to the public which tends to be a good thing. The exploit itself targets the JavaScript v8 engine. The worrying problem is that this affects pretty much every Android handset out there!
What we do know about this exploit, is that the vulnerability manipulates JavaScript v8 engine to gain full administrative access to the victim’s phone. The bug is part of Google’s Chrome which is part of every Chrome installation.
PacSec organiser Dragos Ruiu told Vulture South the exploit was demonstrated on a new Google Project Fi Nexus 6.
“The impressive thing about Guang’s exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction,” Ruiu says.
“As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.”
“The vuln being in recent version of Chrome should work on all Android phones; we were checking his exploit specifically but you could recode it for any Android target since he was hitting the JavaScript engine”
According to The Register, the Google security team immediately contacted Gong after his demonstration, and rumour has it that the Chrome team is already getting a fix in place. Gong may be eligible to receive an Android bug bounty reward for the vulnerability.