Caution: This Chrome Exploit Puts Majority Of Android Devices At Risk

Just before the new story arrives about Chrome exploit, we’re explaining on how Google planning to warn Gmail users from receiving unsecurely delivered Emails (unencrypted). Bad news fro the whole Android ecosystem is that from a security perspective. Presented by Guang Gong, a security researcher employed by Quihoo 360, the findings at this year’s PacSec conference in Tokyo that demonstrates a serious vulnerability in the Google’s mobile OS platform, Android. Vulnerability that can easily be exploited by those with the correct knowledge is accessible thanks to a gaping security oversight in native Chrome browser of Android. What’s more terrifying fact is that it applies to every single version of Android with the latest version of Chrome installed.

This Chrome vulnerability further adds to the scare posed, with which it can compromise a device no matter what Android version or Chrome browser its running.

Major Chrome Exploit Puts All Android Devices At Risk
PacSec organizer Dragos Ruju, who was present on the PWN2OWN panel that was privy to the presentation, has discussed the sophistication of the techniques used:

The impressive thing about Guang’s exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction…As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.

Currently, the inner workings of the vulnerability, and intricate details on how it can actually be exploited, have been kept relatively quite as part of an effort to contain the issue, but it is said that it was JavaScript v8 in Chrome browser, was being targeted. Given the fact that it can be used to exploit any version of the Android OS running the new Google’s Chrome version of web browser, and the fact rectifies that it can immediately provide a malicious individual with total control over a device, and it’s indisputable  in the best interests of the Android population for this one to be kept under wraps.

Methods demonstrated  to show how easy the application and injection were utilized in the process without any damage occurring to the exploited device. If the JavaScript v8 vulnerability is the culprit in the exploited world, by real hackers with the intention of causing damage and extracting data, then the application used to host that remote code would be far less dormant. The information from the presenters however have informed Google of their findings, which will definitely force the company into quick and swift action.

(Source: The Register)