Chrome for Android Has a Hidden Vulnerability, Quite Simple to Exploit

Share this…

Google’s Chrome staff got in contact with the security researcher and has already started working on a fix
A Chinese security researcher has found a security vulnerability in Google’s Chrome browser for Android, which he recently presented during the MobilePwn2Own event at the PacSec security conference in Tokyo, as The Register is reporting.

The researcher, Guang Gong, working for Quihoo 360, says he found the bug in the V8 JavaScript engine that comes packed with each Chrome installation. V8 is a JavaScript compiler written in C & C++, responsible for interpreting JS code fed into the browser, by converting it into machine code before executing it, gaining extra speed by doing so.

Chrome for Android Has a Hidden Vulnerability, Quite Simple to Exploit

The exploit allows attackers to install apps on victims’ phones

Gong declined to provide technical details about his exploit, but he gave a demonstration instead.

During his demo, Gong used a regular Android phone to access a malicious link, which by leveraging the security exploit, installed another app on the phone, without any user interaction.

Unlike similar Chrome exploits, the vulnerability discovered by Gong did not require chaining multiple bugs together to work or to gain root privileges.

Google is already working on a fix

A Google engineer immediately got in contact with Gong after his presentation and rumors have it that the Chrome team is already getting a fix ready.

Gong told The Register that the vulnerability could be exploited via the latest Chrome version, and in theory, should work on any Android version.

Since the exploit was not made public, and exclusive details were provided to Google’s staff alone, Gong may be eligible to receive an Android bug bounty reward. The highest prize money he could receive is $30,000, but since no extra technical details are available, this is mere speculation.

PacSec organizer, Dragos Ruiu, says that in the following days, another team of developers from Germany is set to give a presentation on how to hack a popular Samsung phone.