Android Pwned and Owned in one hyperlink with Chrome

MobilePwn2Own at PacSec in Tokyo, Japan proved to be a good one for the Goog. A vector demonstrated by a guy named Guang Gong, consisting of:

  1. An Android device
  2. A website link
  3. Chrome

 …was able to install a BMX game. While that might not seem like a big deal, the installation code could have been anything. Malicious code could have been placed at the link, giving an attacker full remote control of the Android handset.

Gong stated all Android devices are vulnerable.

The good thing, is that a Google security analyst was present, and after conferring with Gong that neither his vector nor the exploit details had released to the public, The Goog traded a fat sack of cash for exploit exclusivity…mitigating what could have been another blow to Android security.

Android has taken a severe beating in the media when it comes to the context of security. The Stagefright vulnerability exposed 6 exploits earlier in the year, and Google has just recently gotten around to patching them…but only on 3 Nexus devices. Most Android based technology is still vulnerable. 

%d bloggers like this: