Major Android Chrome exploit could make millions of phones vulnerable


A bug has been found in the Android version of Chrome that could potentially enable hackers to install and run whatever apps they like on your phone.

The Register first reported that the bug was found in Chrome's JavaScript v8 engine, meaning that the dodgy code could conceivably be loaded onto your phone if you visit a malicious website.

Worse still, as this bug was found in one of the newest Android handsets – Google's own Nexus 6 (Project Fi version) – it suggests the problem could affect lots of phones. Which is bad.

The good news, however, is that the bug wasn't discovered by evil hackers but by one of the good guys. Chinese hacker Guang Gong showcased the exploit at the MobilePwn2Own part of the PacSec conference in Tokyo – a meeting of security experts who show off what they've discovered for the kudos.

In fact, Gong could even be in line for a cash reward from Google for finding the problem, as part of its Android Security Rewards Program, so there's no need for him to become a super villain.

Google: we're aware

What's particularly notable is that the exploit works on its own in a single go, and doesn't require multiple vulnerabilities to work together.

When showing it off, the hacker demonstrated the size of the hole by installing an app (in this case, a BMX game) successfully without seeking the user's permission. This means that as a result of the vulnerability, unauthorised code could be run on your phone.

Gong has also apparently shared details of his exploit with Google, so that the company can build a patch to stop it working.

Google told techradar it's pleased about the find, adding: "Congratulations to Guang Gong, and thank you for ultimately making the Android and Chrome ecosystem safer and stronger."

It'll be interesting to see how long it will be before the patch cascades down to each individual Android handset, as one persistent criticism of the Android platform from security experts is that, because software updates are controlled by phone manufacturers and networks, it's harder to patch quickly – iOS, by contrast, can be patched easily by Apple at any point.