A very serious Android exploit that affects all versions of the operating system running the latest version of Chrome has been discovered by a Quihoo 360 researcher at MobilePwn2Own during the PacSec conference in Tokyo.

Guang Gong, the researcher who discovered the exploit nearly three months ago, demonstrated it on a Google Project Fi Nexus 6 which he was able to hack in just one attack.

“Most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction,” said PacSec organiser Dragos Ruiu in a report on The Register.

Ruiu went on to explain that by using a website that exploits a JavaScript v8 vulnerability in the Chrome mobile browser, Gong was able to install a game with no user interaction required at all.

What makes this so dangerous is that because it uses a JavaScript exploit, a bit of tweaking can result in any Android system being targeted and any software at all – including, of course, malware – being installed in the same manner.

Google, which had a security engineer on site during the competition, will most likely pay a security bug bounty to anybody who can disclose the details of the exploit since Gong did not.

As a reward for finding the bug, Gong will be going to CanSecWest Security conference in March 2016 at Google’s expense.

Some serious work needs to be done on the Android operating system, which has been known to have its share of bugs and security flaws. Once original equipment manufacturers start adding tweaks to the Android architecture even more vulnerabilities begin to surface and malicious attacks such as forwarding personal emails to unsavoury accounts can be executed easily.

Hopefully, Google starts taking security in its mobile operating system a bit more seriously and stories like this become a lot less common.

[Via – The Register] [Image CC by 2.0 – Iwan Gabovitch]