ChromeMashable2.pngHere’s some news that might make Android users change their mobile browsing habits for a while. A speaker at the Mobile Pwn2Own track of the PacSec 2015 Conference in Tokyo revealed an exploit targeting Chrome for Android that could give hackers complete control of any smartphone or tablet running Chrome. The exploit could be triggered by users browsing to an infected website using their Chrome mobile browser. What’s worse, emphasizes The Register, this is a single one-shot exploit, targeting a sole vulnerability in JavaScript v8 on the Chrome browser.

Posting on Facebook, PacSec organizer Dragos Ruiu stated that:

PacSec speaker Guang Gong from Qihoo 360 just pwned my Google Project Fi Nexus 6 (which was fresh out of the box and only updated to the latest OS and apps) by having the Chrome browser visit the web server he set up on his laptop. As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone. Interestingly, this was a one shot exploit that did everything in one go instead of chaining multiple vulnerabilities. Off line we also tested his exploit on some other phones and it looks like it works on many targets – so I guess the three months he put into developing it delivered results.

The actual panel title from the conference gives some idea how the exploit works. Guang Gong of Chinese software company Qihoo 360, who revealed the exploit, spoke on the topic of: “Exploiting Heap Corruption due to Integer Overflow in Android libcutils — Escalate privilege by vulnerabilities in Android system services: How to exploit CVE20151528 to get system_server permission in Android.” According to The Register, a Google security expert was at the conference, and a patch or update from Google is to be expected  soon.

Given the nature of the exploit, Android tablets and even mini-PC Android TV sticks running Chrome are likely to be equally vulnerable. And existing mobile security apps and firewalls will likely provide no defense against it. The Register hadn’t received any response from Google on its request for comment at the time of writing.

There’s no sign yet that this vulnerability has been exploited in any malware or other malicious hack. But until a patch is announced, Android users might want to limit their mobile browsing to known, safe sites, or use other browsers than Chrome.


The TeleRead community values your civil and thoughtful comments. We use a cache, so expect a delay. Problems? E-mail