Single Chrome exploit can compromise any Android smartphone

by: John DyeNovember 13, 2015
899

GoogleChrome

A researcher at Quihoo 360 recently discovered an exploit in Chrome that can probably demolish even the newest, most up-to-date Android devices if the user visits an infected site.

The vulnerability was exposed at PacSec’s MobilePwn2Own event. What makes the exploit particularly unsettling is that it’s just one exploit, not an elaborate chain of exploits that interlink to reach an eventual compromise. Although the showcase did not go into the precise details regarding how the exploit works, it was revealed that it takes advantage of a vulnerability in JavaScript v8.

best antivirus android appsSee also: New Android adware reportedly “nearly impossible” to remove127

The researcher who discovered the exploit is Guang Gong, and PacSec will be rewarding Guang for uncovering and releasing the exploit by flying him to the CanSecWest security conference for a ski trip in March of 2016. In addition to this, Google will also likely pay a bounty for the bug’s discovery, as a Google security representative at the event took Guang’s work back for consideration.

The vulnerability took the researcher three months of development to fully flesh out, but when he demonstrated it, the method proved scarily smooth and efficient. A Nexus 6, after visiting an unremarkable web address laced with the malicious script, was able to be taken over entirely by Guang, who used this access to download a BMX bike game on the device.

PacSec’s organizer, Dragos Ruiu, reported that this vulnerability should work on any Android device since it hits the JavaScript engine. Soon after the exploit’s reveal, a German team claims to have been able to replicate it on a Samsung device.

Pretty spooky stuff, all in all.

What are your thoughts on this compromise? Let us know in the comments below.

  • Cicero

    I pass Chrome and use Internet stock from Samsung. I feel it is smooth and light than Chrome.

  • I use Firefox

  • onstrike112

    This explains why I use a BlackBerry Passport and an iPad.

    • Zombie

      Mfw every device has its vulnerabilities, but you think you’re safe

      • Gabriel Valle

        Yeah but it’s alarming how many have hit android in the last couple of months.

        • Santeri Ala-Turkia

          It is, but it also shows how much bigger of an OS Android is compared to, say, iOS or WP.

          • mobilemann

            iOS has 50% in the US, and with it’s installed base is a pretty huge target?

      • onstrike112

        Safer than the crapdroids that you use.

        • Sony Fanboy

          This vulnerability doesn’t affect encrypted phones. Encrypt your Android and you’re good to go. Too bad other manufacturers won’t let you encrypt your phone.

          • onstrike112

            You mean do what the default isn’t. In other words, no one will.

          • Sony Fanboy

            Except those of us that actually understand tech.

          • onstrike112

            No, those that do, don’t use a stupid android phone.

          • Sony Fanboy

            That shows how much you know. Because of its open source environment, techies prefer Android.
            That’s a big part of why Android is the most popular OS in the world.

            Example: My boss is the biggest Apple fan I know, yet his Androids are the only devices he ALWAYS has on him, because they are the only devices he has that work with ALL of his tech.

          • onstrike112

            Shows how little you know. Androids are insecure, fragmented, and hacky. That’s just how they are, and is the perfect reasoning as to why I use a BlackBerry 10 device instead of a crapdroid.

          • Sony Fanboy

            Keep telling yourself that. The rest of us will enjoy our best devices, our Androids.

          • onstrike112

            More like insecure, hacky, fragmented bullcrap.

          • Sony Fanboy

            Says the Blackberry user. Why don’t you leave 2007 like the rest of us did at the end of 2007?

          • onstrike112

            I did, I use BlackBerry 10, not BlackBerry OS 7.

    • DarrenSaw

      Ah, you are the person that bought one

      • onstrike112

        Are you the person who got hacked using one of the seas of crappy “me too” Android phones?

        • Sony Fanboy

          Fogging idiots talking about this “me too” crap need to STFU. Every smartphone is a “me too” phone

          • onstrike112

            Your android, especially!

          • Sony Fanboy

            84% of iPhone “new” features since October 2008 were already in Android or Windows. 58% of Android “new” features were already on an IPhone or other device since Oct 2008. 96% of “new” features in Windows phones already existed on another platform.

            Looks like Android is the least “me too” out of three most common platforms.

            Hater.

          • onstrike112

            Try BlackBerry, you complete numbskull.

          • Sony Fanboy

            What? Blackberry is not a commonly used platform. Since they have adopted Android, though, they are making a comeback. It’s amazing what good software can do for a company.

          • onstrike112

            BlackBerry 10 isn’t dead, and until you realize that, you’re not worth talking to.

          • Sony Fanboy

            HAHAHAHAHAHAHAHA!
            You have a good sense of humor, at least.

          • onstrike112

            You’re an idiot, and you might actually enjoy using a communication device for communication instead of a pathetic toy.

          • Sony Fanboy

            I’m not even sure what you mean by this one. Please explain your vague comment.
            I use all my devices for communication.

          • onstrike112

            Not that you’d be able to with memory leaks, icloud hacks, etc. You have toys. Not communication devices.

          • Sony Fanboy

            You are a true ignoramus. Memory leaks and iCloud hacks don’t stop communication.
            Smartphones are called smartphones because they go above and beyond conventional communication. They have numerous tools for taking on an infinite amount of everyday tasks that make them much more useful than just being communication tools. My multi-device ecosystem integration makes it easier to communicate as proper devices evolve, leaving Blackberry OS further behind. Blackberry is hard at work to make Blackberry OS more common place which involves becoming much more like ios and Android. Blackberry is a stones throw away from being just another “toy” that you despise so much. Too little too late for Blackberry, though. Don’t hate just because your phone can’t do as much as other phones and don’t fret, because soon it will, with the help of Android.

          • onstrike112

            My phone is a more powerful emailing, sms, mms, Web browsing, and battery saving device than any of your stupidphones. That’s what ios and Android are. Stupid, for stupid people like yourself.

          • Sony Fanboy

            Is that why it takes you so long to respond? Keep on dreaming, dude

          • onstrike112

            Your own little idiotic username shows how much of an impartial end user you are mr “Sony Fanboy” lol you’re a joke.

          • Sony Fanboy

            Is that the best rebuttal you’ve got? What do you have against Sony?
            I could also throw a bunch of fallacies back at you, but I’ll take the high road here.
            I like my Sony’s because they do everything really well, although they may not be the best at any one thing.
            You should also know that my next personal phone will probably be a BB if Sony doesn’t come back to the U.S. market.
            Blackberry is really a top notch device, despite there lack of market share.

          • onstrike112

            I have everything against Sony. From them attempting to force Android down people’s throats like Samsung, Google, Alcatel-Lucent, etc, to their bullcrap with the crapstation. They know nothing on how to make a good device and are more interested in the pissing contest that is the phone and console market. Finally add to that how they don’t care about the end users, and only corporate profits.

          • Sony Fanboy

            That’s crazy talk. The PS4 is B.A.. And how does BB do anything for end users? I’m sure all phone manufacturers care about profits more, including BB. Sony considers their users more than most manufacturers from what I’ve seen.

          • onstrike112

            It’s “BA”? How? My PC stomps it flat in every metric.
            BlackBerry at least gives a crap about my mobile security. Unlike Sony.

          • Sony Fanboy

            Yes P C going is where it’s at but you can’t get PlayStation exclusives on a PC. Not to mention the constant annoyance of tweaking settings and upgrading hardware. I have both, myself.
            Blackberry does excel at security but that’s not an issue for me. I could care less about security on a phone. What I need is a strong screen and waterproofing.
            I really like my remote play, too. It’s addicting.

          • onstrike112

            What good “exclusives” do you have? None! My PC not only stomps stupid crapstations easily, it won’t be out of date on 2 months, and it is actually capable of good graphics. Finally to add to this, it’s got good exclusives like Civilization V and Beyond Earth. Why can’t you play those, I wonder…. Oh yeah, because I have a keyboard and mouse and you don’t.

            Then you, use a phone that is a toy, and toys aren’t meant to do serious communication on. Have fun with your little toys, kiddo.

          • Sony Fanboy

            This is the most idiotic rant I have ever heard.

          • onstrike112

            And yours made any literal sense at all? Nope. You play games on toys and message people on toys.

          • Sony Fanboy

            Would you like a napkin to wipe up the poop that keeps falling put of your mouth?

          • onstrike112

            Would you like a frontal lobotomy to get rid of that nasty, faulty frontal lobe of yours?

          • Sony Fanboy

            You keep talking but all I hear are farts and turds

          • onstrike112

            If that’s what you think, it’s pretty clear that you have a faulty brain.

    • EQ

      How many BlackBerry users are there, 20, 50 or maybe 500 in the world? Go figure..

      • onstrike112

        I don’t know, but those that are, are a lot more secure than the seas of Android users that have a flabbergastingly insecure device in their hands and just accept what Google does to spy and screw over its users.

        • Sony Fanboy

          Moron. You know Blackberry has adopted Android, right?

          • onstrike112

            Moron, you know that BlackBerry 10 is getting more devices, right?

          • Sony Fanboy

            Yes, I know. I also know nobody cares.

          • onstrike112

            Speak for yourself nimrod.

          • Sony Fanboy

            I’m sorry, I should say I also know only a very small amount of people care.

          • onstrike112

            Thank you, and that small amount of people care about their phones being secure, smart, and battery friendly, unlike every android and ios user out there. There even was a recent Chrome problem that allows a device to have its phone calls recorded and listened in on. That’s not secure. That’s called “a joke”.

  • Justme

    What is not clear in the article is, does the use of other browsers other than Chrome protect users from the exploit? Just wondering since the article indicates it is an issue with a vulnerability in Javascript.

  • Hotbod Handsomeface

    How is this news? Phone building companies have been compromising on building phones for years. Why should the software be any different than the hardware?

  • It’s Qihoo 360 BTW, just sayin’.

  • Jaya Vinu

    Just out of curiosity, is there anyway we can get the device up and running??

  • Kuru

    How much is the impact of this vulnerability is not presented in this article. Even though it is definitely unwanted to download something onto my device, I understand that it cannot do much harm unless it is installed. Default Android security settings should prevent “installation from unknown sources, and therefore should be safe … Unless I’m missing something…

    • Izzy

      This quote was from the original source of this article form theregister.
      “”As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.”

  • Izzy

    My guess is that the script would would do one or tWo things. 1) ping the hijacker that there is a phone that is accessing their website and sends over enough of the user credintials to get the phone pwned remotely or 2) Everything is done via a carefully crafted script and make it do whatever it wants.

    The JavaScript v8 is a Chromium Project so it would only affect Chrome browers so my guess is using another browser like firefox with a good ad blocker plug-in (uBlock Orgin) would be enought to be protected since this type of exploit can be injected on any website that would have ads in it.

  • Sony Fanboy

    I have to say if you’re stupid enough to visit an unknown java scripted website, you probably deserve to get hacked, if your not already hacked.