New Chrome vulnerability can hand over control of your Android phone with just a link
Researcher Guang Gong showcased this nefarious plan at MobilePwn2Own, part of Tokyo’s PacSec conference. The full details weren’t revealed, in order to deter anyone with malicious intent from putting it into action.
Gong was able to take control of a Project Fi Nexus 6 by attacking a JavaScript vulnerability in Chrome. Through the exploit, he installed an application granting total access to the phone without any user notification.
Luckily, a member of Google’s security team was at the event, so Google will soon be at work on a patch (along with offering a hefty reward bounty for Gong). As long as you avoid sketchy websites and stick to the Play Store for downloads, you should be fine, but it’s always to good to keep an eye on the security landscape.
Why this matters: The Stagefright vulnerability raised the issue of Android security to a higher level because of how easily someone could unknowingly infect their devices from an MMS message. In response, Google now sends out a monthly patch to Nexus devices, while other hardware makers have said they’re going to also step up their security game. It’s badly needed, as Android’s large marketshare demands a robust security structure and update system.