Vicious Chrome V8 JavaScript Exploit Leaves All Android Devices Ripe For Attack

If you’re an Android user that makes heavy use of Google’s Chrome web browser (and what Android user doesn’t?), you’ll want to pay close attention to a new exploit that has the capability of taking your smartphone hostage.

The tricky exploit was demonstrated at MobilePwn2Own, which was held at a Tokyo-based PacSec conference. Quihoo 360 security researcher Guang Gong first uncovered the vulnerability, and thankfully, he hasn’t publicly revealed detailed specifics on its inner workings. However, we do know that it takes advantage of Chrome’s open source V8 JavaScript engine.

What makes the exploit so dangerous — which is another reason why we’re glad that this exploit hasn’t fallen into nefarious hands — is how easily it can take advantage of an Android device. “It was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction," said PacSec organizer Dragos Ruiu.

"As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone." While a BMX game is relatively harmless in the grand scheme of things, a lot more damage could have been done.

Luckily, Google has been made well aware of the exploit and is no doubt working furiously to exterminate it. And since Gong was responsible enough not to release it into the wild with reckless abandon, he’ll likely be eligible to receive an award from Google’s bug bounty program. Since Gong used a Nexus 6 to demonstrate this new exploit, he could be eligible for up to an $8,000 reward from Google depending on its severity (in Google’s eyes).