The bad news? All it takes is opening a website containing the malicious code and an attacker can have full control of your phone, and do things like download additional apps without your interaction.
The good news? It’s not out in the wild. Yet.
Detailed information about the exploit wasn’t presented, but Gong says that it took three months of work ahead of the competition.
It looks like those efforts will now pay off though, as Gong has won a trip to the CanSecWest security conference next year. A member of Google’s security team was also present and took the exploit details back to HQ, so it’s likely Gong will receive a bug bounty too.
While it’s not the first exploit that allows hackers to install apps and carry out other nefarious activities remotely, the simplicity of a single malicious link giving full control is just a little bit scary.
And don’t go thinking a brand new phone won’t be susceptible – the exploit was demonstrated on a Nexus 6.
➤Latest Android phones hijacked with tidy one-stop-Chrome-pop [The Register]