There’s more bad news for the Android ecosystem from a security perspective. Guang Gong, a security researcher employed by Quihoo 360, has presented findings at this year’s PacSec conference in Tokyo that demonstrates a serious vulnerability in the Android platform. The vulnerability that can easily be exploited by those with the correct knowledge is accessible thanks to a gaping security oversight in Android’s native Chrome browser, but is made even more terrifying by the fact that it applies to every single version of Android with the latest version of Chrome installed.
What further adds to the scare posed by this vulnerability, is the relative ease and speed with which it can compromise a device no matter what version of Android or Chrome browser its running.
PacSec organizer Dragos Ruiu, who was present on the PWN2OWN panel that was privy to the presentation given by Gong, discussed the sophistication of the techniques used:
The impressive thing about Guang’s exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction…As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.
To date, the inner workings of the vulnerability, and intricate details on how it can actually be exploited, have been kept relatively quiet as part of an effort to contain the issue, but we know that it was JavaScript v8 in Chrome that was being targeted. Given the fact that it can literally be used to exploit any version of the Android OS running the latest version of Google’s Chrome browser, and given the fact that it can immediately provide a malicious individual with total control over a device, it’s undeniably in the best interests of the Android population for this one to be kept under wraps.
The application and injection methods demonstrated were utilized to show how easy the process is without any damage occurring to the exploited device. However, if this JavaScript v8 vulnerability was exploited in the real world, by real hackers with the intention of causing damage and extracting data, then the application used to host that remote code would be far less dormant. The presenters of the information have informed Google of their findings, which will hopefully force the company into quick and swift action.
(Source: The Register)
Would love to here from you...