A single malicious Chrome link is enough to give attackers control of your Android phone

A single malicious Chrome link is enough to give attackers control of your Android phone
Credit: Alexander Supertramp / Shutterstock.com

It’s by no means the first time, but security researchers have demonstrated a weakness present in pretty much all versions of Google’s Android OS.

The bad news? All it takes is opening a website containing the malicious code and an attacker can have full control of your phone, and do things like download additional apps without your interaction.

The good news? It’s not out in the wild. Yet.

According to The Register, the vulnerability was discovered by Guang Gong from security software vendor Qihoo360 at the MobilePwn2Own at the PacSec conference in Tokyo, and involves manipulation of the V8 JavaScript engine.

Detailed information about the exploit wasn’t presented, but Gong says that it took three months of work ahead of the competition.

It looks like those efforts will now pay off though, as Gong has won a trip to the CanSecWest security conference next year. A member of Google’s security team was also present and took the exploit details back to HQ, so it’s likely Gong will receive a bug bounty too.

While it’s not the first exploit that allows hackers to install apps and carry out other nefarious activities remotely, the simplicity of a single malicious link giving full control is just a little bit scary.

And don’t go thinking a brand new phone won’t be susceptible – the exploit was demonstrated on a Nexus 6.

Latest Android phones hijacked with tidy one-stop-Chrome-pop [The Register]

Read next: Watch yet another Star Wars: The Force Awakens trailer, if you like that sort of thing

Corona coverage

Read our daily coverage on how the tech industry is responding to the coronavirus and subscribe to our weekly newsletter Coronavirus in Context.

For tips and tricks on working remotely, check out our Growth Quarters articles here or follow us on Twitter.