A new Chrome failure may compromise any Android smartphone

Hexamob | Alberto Mulas 11/13/2015

It has always been said that it never rains but it pours, and in the case of security and Google’s operating system we can say it is true. Since the arrival of StageFright in two variants and now this new problem. The issue of security in Android is an increasingly sensitive issue since these StageFrigth crisis. Thus, a researcher from Quihoo 360 has recently discovered a new bug in Chrome that can affect most Android devices on the market, including newer models, if the user visits an infected platforms.

This vulnerability has been disclosed in the event MobilePwn2Own organized by PacSec. But what in this case draws our attention and is more worrying is simply an exploit loaded application APK (pwned phone without user interaction upon visiting website), not a complex chain of steps that are linked to develop this new failure in Chrome. Although the investigator declined to publicly explain the details of this new flaw in Chrome, it is revealed that we are talking about a vulnerability in version 8 of JavaScript.

The researcher who discovered the exploit is Guang Gong, which was rewarded by PacSec, who invited him to the CanSecWest security conference in March next year to present his study on this new bug in Chrome. In addition, Google also probably pay a reward for the discovery of the error. Guang was in contact during the event with the security officer of the Mountain View company, who took into consideration his work.

A new Chrome failure may compromise any Android smartphone 1

The work to discover this vulnerability takes him more than three months. That is, to demonstrate that this Chrome failure has established an efficient method. With a Nexus 6, after visiting a mixed site with the uncomplicated malicious script was able to assume full control of the smartphone. In the demonstration, Guang installed a game without permission, but the danger may be much higher depending on who takes control.

The organizer of the appointment of PanSec reported that this vulnerability should work on any Android device as it hit the JavaScript engine. Shortly after discover it, a German team says it has been able to replicate it on a Samsung device.

A new Chrome failure may compromise any Android smartphone