Android is well known for its security vulnerabilities. Once again, the Google’s operating system has come into limelight with another scary bug. This time, Google Chrome, the browser, has come under scrutiny for putting users’ privacy in great danger. Although, complete details are not given about how one can hijack an Android device through a loophole in Google Chrome, however, it has something to do with Java v8. The attack can take the attacker through all the security hurdles at once. Bypassing devices’ security systems, the said attacker will have the administrative rights of that Android phone and he can install any sort of app, even the spying apps that can track all users’ activities.
Guand Gong, a Quihoo 360 researcher demonstrated the attack at the Pwn2Own panel at the Pacsec Conference in Tokyo. As there was a chance that someone can exploit that loophole in Google’s browser and can harm users. The demonstration revealed that Google’s very own Nexus 6, which is running Android 6.0 Marshmallow and running on Project Fi is also that weak area. He showed the attendants that he could easily install a third party application on a Nexus 6 device without even touching that device. The amazing thing about Gong’s demonstration is that it was a sure shot; he didn’t have to attempt twice or more. He knew what he was doing and he was confident at it.
The threat of this security loophole is that it uses Java v8, thus, it can be virtually recoded and can harm other Android devices as well. A Google security engineer was present at the conference; he took this vulnerability and said they will test the patch and will find a speedy solution for that. Guand Gong is likely to receive a cash bounty with the courtesy of Google’s bug bounty program. Gong will also visit CanSecWest security in Vancouver in March 2016.
It is not the first case, where security researchers have found a nightmarish loophole in Android’s security. One of them was Stagefright, which is still considered to be the biggest one. With the help of Stagefright, an attacker could control an Android device just by sending a text message. Sounds scary! Google tends to address these security bugs continuously and aims to issue monthly security patches. But, the depressing fact is that, only the in line Nexus devices can easily receive those patches. Other devices continue pose threats to users’ privacy.