Chrome Hole Affects Android Devices

Monday, November 16, 2015 @ 04:11 PM gHale

There is an exploit in Google’s Chrome for Android that could lead to the compromise of any device.

The exploit, featured at the MobilePwn2Own at the PacSec conference in Tokyo, targets the JavaScript v8 engine. While researcher unveiled the vulnerability, they did not disclose full details.

Possible Backdoor on Android Devices
Fun to Serious: 11 Zero Days in Mobile Device
Android Media Processing Holes Patched
LTE 4G Threats Plague Android Users

The researchers did say, however, the hole probably affects all Android phones if users visit a malicious website.

It is a single clean exploit that does not require multiple chained vulnerabilities to work, the researchers said.

Quihoo 360 Researcher, Guang Gong, showcased the exploit which he developed over three months.

The researcher demonstrated the exploit on a new Google Project Fi Nexus 6.

A Google security engineer on site received the bug.

A second team from Germany also appears to have popped a modern Samsung phone, with a demonstration delayed until today due to a delayed flight.

Gong will now go to the CanSecWest security conference in March next year.

Last year hackers exposed vulnerabilities in popular phones for shares in $425,000 in cash rewards, but security sponsors Google and Hewlett Packard’s Zero Day Initiative pulled out.

HP says it did not sponsor the competition thanks to the complexities of the Wassenaar Arrangement and the $300 million acquisition of Tipping Point and the Zero Day Initiative by Trend Micro.

Due to the complexity of obtaining real-time import and export licenses in countries that participate in the Wassenaar Arrangement, the ZDI notified conference organizer, Dragos Ruiu, it would not be holding the Pwn2Own contest at PacSecWest, a spokesperson said.