Google’s Chrome staff got in contact with the security researcher and has already started working on a fix
A Chinese security researcher has found a security vulnerability in Google’s Chrome browser for Android, which he recently presented during the MobilePwn2Own event at the PacSec security conference in Tokyo, as The Register is reporting.
The exploit allows attackers to install apps on victims’ phones
Gong declined to provide technical details about his exploit, but he gave a demonstration instead.
During his demo, Gong used a regular Android phone to access a malicious link, which by leveraging the security exploit, installed another app on the phone, without any user interaction.
Unlike similar Chrome exploits, the vulnerability discovered by Gong did not require chaining multiple bugs together to work or to gain root privileges.
Google is already working on a fix
A Google engineer immediately got in contact with Gong after his presentation and rumors have it that the Chrome team is already getting a fix ready.
Gong told The Register that the vulnerability could be exploited via the latest Chrome version, and in theory, should work on any Android version.
Since the exploit was not made public, and exclusive details were provided to Google’s staff alone, Gong may be eligible to receive an Android bug bounty reward. The highest prize money he could receive is $30,000, but since no extra technical details are available, this is mere speculation.
PacSec organizer, Dragos Ruiu, says that in the following days, another team of developers from Germany is set to give a presentation on how to hack a popular Samsung phone.