Lenovo Chromebook 100S-40

Exploit in latest Chrome puts Every Android Phone at Risk

November 13, 2015 - Written By Alexander Maxham

This morning we are waking up to another security exploit, affecting a number of Android smartphones. And this time it has to do with the Google Chrome browser. Which affects every device with the latest version of Chrome installed. And with Chrome being pre-installed on every device (at least those sold outside of China and not running a forked version of Android) that’s a whole lot of affected devices. It is very easy to exploit a device with Chrome actually, all you need to do is open a website containing the malicious code, and the attacker will have full control of your phone. This includes being able to download apps, make phone calls, just about anything, without your interaction. Good thing here is that it’s not out in the wild yet. So you don’t need to be too concerned just yet.

 

The news was broken the morning, and the vulnerability was discovered by Guang Gong, who is part of the security software vendor Quihoo360 at MobilePwn2Own. This vulnerability was announced at the PacSec conference in Tokyo, which involves the V8 JavaScript engine being manipulated. Gong did not share detailed information about the exploit at the PacSec conference, but did state that it took about 3 months of work. The work paid off, as a member of Google’s security team was present, and has taken the details back to Mountain View. Gong will likely receive a bug bounty as well. However, this also means that Google is aware of the exploit and is likely working on a fix to patch the exploit. Good news here is that since it’s through Chrome, we don’t need to wait for an OTA to be approved by the manufacturers, and then the carriers. Google can just push the update out through Google Play. Very simple.

 

While this does sound a bit scary, seeing as a simple link can give an attacker full access to your phone, remotely. It’s important to remember that you should only click or tap on links that you know are authentic. For instance, if you get an email from Dropbox, but the link doesn’t go to Dropbox, don’t click on it. There are simple measures to protect yourself, here. And with this exploit, they are more important than ever. As soon as we get a patch from Google for Chrome, we’ll be sure to let everyone know it’s available.