As much as developers try to make their apps as secure as possible, from time to time there will be flaws discovered. Sometimes these flaws aren’t particularly serious, but sometimes they can be pretty bad. Recently during the PacSec conference in Tokyo, Qihoo 360 developer Guang Gong discovered a particularly nasty vulnerability in Chrome for Android.
Gong reportedly worked the exploit for about 3 months and basically what happened is that the vulnerability targets the app’s JavaScript engine. From there, all the hacker would need to do is direct the user to a website that can exploit the vulnerability and the JavaScript hack will do the rest of the work.
This includes the ability to install apps onto the user’s phone completely without their knowledge. Gong demonstrated the vulnerability to a Google representative who saw it in action. Thanks to his discovery, Gong has since been rewarded with a trip to Vancouver for the CanSecWest Applied Security Conference and where he will also be able to enjoy a ski trip.
As for the vulnerability itself, it is contained only to the app, so for those worried about it being a bigger and system-wide issue like Stagefright, you can rest assured that it’s not. Details of how to work the exploit were naturally unpublished so there is a good chance that it might not even be in the wild yet, so hopefully Google will push out an update soon before someone else figures it out.
Filed in . Read more about Android, Apps, Chrome and Security.