Monday, 23 November 2015

Chrome for Android vulnerability Discovered by Researcher

Chrome

Chinese Researcher Discovered Susceptibilities in Android Operating System

Google, over the past few months had been busy crushing security susceptibilities in its prevalent Android mobile operating system, though several tends to remain undiscovered and some could be easily misused. Guang Gong, a Chinese researcher from Qihoo 360, demonstrated at MobilPwn2Own at the PacSec conference in Tokyo on how an Android device running the latest version of the operating system could be hijacked by exploiting JavaScript v8 vulnerability through Chrome browser.

 Gong observed JavaScript v8 susceptibility in Chrome for Android enabled him to install a random application on the affected device, a BMX Bike game in this case, without the need of user interaction. Dragos Ruiu, PacSec organizer had explained in a Google+ post. V8 is Google’s open source JavaScript engine and V8 is written in C++, used in Google Chrome which is the open source browser from Google.

Google security engineer on site had received the bug. Spotpedia had informed that `a Google engineer instantly got in touch with Gong after his presentation and rumours were on that the Chrome team had already got it fixed. Gong had commented on 9to5Google that the exploit was created by someone whose job was to find vulnerabilities and not a hacker with malicious intentions.

Vulnerability in JavaScript Engine in Chrome

As long as Chrome is utilised in navigating to a malicious site an attacker has set up, the device could be infected.This was demonstrated on a Google Project Fi Nexus 6 operating the latest Android 6.0 Marshmallow build with all applications updated. The vulnerability was also demonstrated by the researcher which could provide an attacker with total control of the device and success of the exploitation does not need chaining in multiple susceptibilities.

Ruiu informs that this particular shot exploit had been exposed after three months of work, though the exact details on the security flaw had not been publicly known. The exploit had been tested on other devices too and worked on all of them, according to Ruiu.Considering that the vulnerability is in the JavaScript engine in Chrome, it is said to affect the entire Android version with the new version of the browser which is installed. Ruiu had announced through Twitter that the details on the vulnerability had been handed over to Chrome engineer at the conference.

Series of Critical Android Vulnerabilities Observed

However, unfortunately for Gong, his presentation at the conference did not gain him an immediate reward for his efforts though probably Google would reward him for the discovery of the vulnerability, since the company has a bug bounty program set up for Chrome and Chrome OS. According to The Register, Ruiu would fly Gong to the CanSecWest security conference next year.

Google would most probably handle this vulnerability soon, even though the details on the exploit have not been made public so far. A series of critical Android vulnerabilities have been discovered by security researchers this year comprising of the Stagefright flaw which has affected almost a billion devices and a Stagefright2issue alleged to have affected devices running all Android version, began with the initial release.