Android Becomes Vulnerable In New Phone Hack But Details Still Under Wrap
A new phone hack that can bypass the security system using JavaScript v8 exploit renders Android phones vulnerable.
The hacker can tap administrative access and upload any malicious program or malware into the device, said the report.
"The most interesting thing about the demonstrated exploit is that an attacker doesn't have to take advantage of any other separate exploits first. All a person has to do is use Chrome to visit a compromised website with the new exploit loaded in, and that's it. Smartphone attacked," said PC Mag Asia.
The Android phone hack vulnerability was first raised by Quihoo 360 researcher Guang Gong during the recent PacSec forum in Tokyo.
PacSec organizer Dragos Ruiu said in an interview with Vulture South, per End Gadget, that one of the most dangerous about this recent phone hack targeting Android devices was that "it was one shot."
"Most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction," he explained. "As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone."
He added, "The vuln being in recent version of Chrome should work on all Android phones; we were checking his exploit specifically but you could recode it for any Android target since he was hitting the JavaScript engine."
For his efforts in finding out the Android phone vulnerability to hack, Guang Gong will likely get a reward from Google, noted The Register, especially since how he managed to find the exploit wasn't detailed.
He will also go to an all-expense paid trip to the CanSecWest conference in March next year.
"Last year hackers hosed popular phones for shares in $425,000 in cash rewards, but security sponsors Google and Hewlett Packard's Zero Day Initiative pulled out," the article said. "Google did not offer detail to questions about its withdrawal, instead pointing Vulture South to its security rewards programs for Android."
