A security researcher who uncovered a high-risk exploit in Chrome for Android has received more recognition this week after demonstrating how the vulnerability works at a security conference in Tokyo. Late last year, Guang Gong, a researcher at 360 Total Security, uncovered a vulnerability that could be used by hackers to gain system server privileges on Android devices.
Yesterday during the PacSec conference in Japan, Gong demonstrated how the vulnerability could enable someone to gain control of a smartphone — in this case, Google’s new Nexus 6 — through a JavaScript v8 vulnerability in Chrome, and use it to install an application without any interaction by the phone’s owner. To date, the bug has not been reported in the wild.
A Google spokesperson told us today that a fix will be released soon. “Congratulations to Guang Gong and thank you for ultimately making the Android and Chrome ecosystem safer and stronger,” Google said. “The Chrome bug has been fixed and will go out in the next few weeks with the next version of Chrome.”
Potential for Google Bounty
According to a report in The Register, the exploit demonstrated by Gong is notable because “it is a single clean exploit that does not require multiple chained vulnerabilities to work.”
The article quoted PacSec organizer Dragos Ruiu as saying, “The impressive thing about Guang’s exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction.”
Gong’s findings could earn him a potential bounty from Google. Under the terms of Google’s current Android Security Rewards Program, the monetary award could include a base amount of $1,000 for uncovering a high-severity vulnerability, as well as additional rewards of $10,000 to $30,000 or more for exploits involving physical or remote access to a device. The Register reported that Gong will also receive a trip from PacSec to a conference in Vancouver next year.
Finding Solutions ‘Gratifying’
“To be uncover [sic] vulnerabilities that potentially could affect consumers Android devices and finding a solution to the problem is very gratifying,” Gong said in a Q&A published by 360 Total Security.
Gong said he uncovered eight Android vulnerabilities while conducting his research, and sent a report of his findings to Google in April. Google later issued an over-the-air fix for one of them in its September update for Nexus devices.
Several other high-profile security flaws have been found in Android this year, which has led Google and several other Android device makers — including Samsung and LG — to commit to offering monthly security updates. One flaw, involving a vulnerability in Android’s mediaserver service, had the potential to affect nearly 1 billion devices around the world.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
