Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Mobile Tech / Chrome Exploit Threatens Androids
Chrome Exploit Puts Android Smartphones at Risk
Chrome Exploit Puts Android Smartphones at Risk
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
A security researcher who uncovered a high-risk exploit in Chrome for Android has received more recognition this week after demonstrating how the vulnerability works at a security conference in Tokyo. Late last year, Guang Gong, a researcher at 360 Total Security, uncovered a vulnerability that could be used by hackers to gain system server privileges on Android devices.

Yesterday during the PacSec conference in Japan, Gong demonstrated how the vulnerability could enable someone to gain control of a smartphone -- in this case, Google's new Nexus 6 -- through a JavaScript v8 vulnerability in Chrome, and use it to install an application without any interaction by the phone's owner. To date, the bug has not been reported in the wild.

A Google spokesperson told us today that a fix will be released soon. "Congratulations to Guang Gong and thank you for ultimately making the Android and Chrome ecosystem safer and stronger," Google said. "The Chrome bug has been fixed and will go out in the next few weeks with the next version of Chrome."

Potential for Google Bounty

According to a report in The Register, the exploit demonstrated by Gong is notable because "it is a single clean exploit that does not require multiple chained vulnerabilities to work."

The article quoted PacSec organizer Dragos Ruiu as saying, "The impressive thing about Guang's exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction."

Gong's findings could earn him a potential bounty from Google. Under the terms of Google's current Android Security Rewards Program, the monetary award could include a base amount of $1,000 for uncovering a high-severity vulnerability, as well as additional rewards of $10,000 to $30,000 or more for exploits involving physical or remote access to a device. The Register reported that Gong will also receive a trip from PacSec to a conference in Vancouver next year.

Finding Solutions 'Gratifying'

"To be uncover [sic] vulnerabilities that potentially could affect consumers Android devices and finding a solution to the problem is very gratifying," Gong said in a Q&A published by 360 Total Security.

Gong said he uncovered eight Android vulnerabilities while conducting his research, and sent a report of his findings to Google in April. Google later issued an over-the-air fix for one of them in its September update for Nexus devices.

Several other high-profile security flaws have been found in Android this year, which has led Google and several other Android device makers -- including Samsung and LG -- to commit to offering monthly security updates. One flaw, involving a vulnerability in Android's mediaserver service, had the potential to affect nearly 1 billion devices around the world.

Image credit: iStock/Artist's concept.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.