Chrome zero-day flaw places millions of smartphone users at risk

A severe security flaw in the Chrome browser allows attackers to hijack Android mobile devices on the latest operating system.
Written by Charlie Osborne, Contributing Writer
Nicole Cozma/CNET

A Chinese researcher has discovered an exploit which allows attackers to hijack Android mobile devices through the Chrome browser, placing millions at risk.

Speaking at the PacSec conference held in Tokyo, Japan this month, Qihoo 360 researcher Guang Gong demonstrated how the zero-day flaw could be exploited to take over a fully updated Android device.

As reported by Security Affairs, the Chinese security expert leveraged a JavaScript v8 flaw through the Chrome browser to hijack a Google Project Fi Nexus 6 device running the latest OS, Android 6.0 Marshmallow.

PacSec team member Dragos Ruiu said in a Google+ post that the researcher was able to hijack his device fresh out of the box -- with not just the latest OS, but a swathe of fully-updated applications -- by sending the smartphone to a web server Gong had personally set up complete with a ready-made malicious page.

The Java flaw then came into action and installed an arbitrary application used to wrestle control of the device away from the user and into the attacker's hands. The user did not have to interact with the malicious page for the exploit to operate beyond visiting the site.

In the researcher's example, the arbitrary app was a BMX bike game, but theoretically this could be any third-party app which appears legitimate. Malicious apps which appear to be legitimate, acceptable software are often used mask an attacker's activities, which can include hijacking, data theft and device monitoring.

Ruiu called the attack a "one-shot exploit" which "did everything in one go instead of chaining multiple vulnerabilities," -- a serious problem for Android security which also suggests millions of devices running the Javascript engine could be affected, placing countless users at risk.

"Offline we also tested his exploit on some other phones and it looks like it works on many targets -- so I guess the three months he put into developing it delivered results," Ruiu said. "Since we don't have any lavish prizes for him, I'm bringing him to Canada next year for some skiing/snowboarding at CanSecWest."

Gong said on Twitter the zero-day, given the moniker CVE-2015-6612, was reported by Gong and another unknown researcher in August, but a fix is yet to arrive.

In July, Google issued a security update which patched critical flaws in the Chrome browser, including a number of high-risk universal cross-site scripting errors.

In an email to ZDNet, a Google spokesperson said: "Congratulations to Guang Gong and thank you for ultimately making the Android and Chrome ecosystem safer and stronger."

The spokesperson added that Google is looking into a fix right now and will share more details as soon as it can.

Top tips to stay safe on public Wi-Fi networks

Read on: Top picks

Editorial standards