A Chinese researcher has discovered an exploit which allows attackers to hijack Android mobile devices through the Chrome browser, placing millions at risk.
Speaking at the PacSec conference held in Tokyo, Japan this month, Qihoo 360 researcher Guang Gong demonstrated how the zero-day flaw could be exploited to take over a fully updated Android device.
PacSec team member Dragos Ruiu said in a Google+ post that the researcher was able to hijack his device fresh out of the box -- with not just the latest OS, but a swathe of fully-updated applications -- by sending the smartphone to a web server Gong had personally set up complete with a ready-made malicious page.
The Java flaw then came into action and installed an arbitrary application used to wrestle control of the device away from the user and into the attacker's hands. The user did not have to interact with the malicious page for the exploit to operate beyond visiting the site.
In the researcher's example, the arbitrary app was a BMX bike game, but theoretically this could be any third-party app which appears legitimate. Malicious apps which appear to be legitimate, acceptable software are often used mask an attacker's activities, which can include hijacking, data theft and device monitoring.
"Offline we also tested his exploit on some other phones and it looks like it works on many targets -- so I guess the three months he put into developing it delivered results," Ruiu said. "Since we don't have any lavish prizes for him, I'm bringing him to Canada next year for some skiing/snowboarding at CanSecWest."
Gong said on Twitter the zero-day, given the moniker CVE-2015-6612, was reported by Gong and another unknown researcher in August, but a fix is yet to arrive.