Attackers can hijack an Android phone just by convincing you to click on a link to an infected website


Another day, another hole in smartphone security.

Security researcher Guang Gong recently discovered an exploit in Android phones that allows for an attacker to gain control of a person’s phone if they click on a link to a website containing malicious code, The Register reports. The attacker then has the ability to download additional apps to the infected device without the user’s interaction.

This latest exploit, which thankfully has yet to appear in the wild, was highlighted by Gong during his participation in hacking contest MobilePwn2Own during the2015 PacSec conferencein Tokyo. As part of his prize, he won a trip to the 2016 CanSecWest security conference, and could also end up receiving a bug bounty from Google, who was made aware of the exploit.

Gong discovered the vulnerability involved the manipulation of the V8 JavaScript engine and showed the weakness was present in essentially all versions of Google’s Android OS. He even demonstrated that the vulnerability affected new products, such as the Nexus 6.

While details were sparse, Gong said it took him three months of work prior to the competition to find the hole.

“The impressive thing about Guang’s exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction,” PacSec organizer, Dragos Ruiu, told The Register’s Vulture South . “As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.”