It’s by no means the first time, but security researchers have demonstrated a weakness present in pretty much all versions of Google’s Android OS.
The bad news? All it takes is opening a website containing the malicious code and an attacker can have full control of your phone, and do things like download additional apps without your interaction.
The good news? It’s not out in the wild. Yet.
According to The Register, the vulnerability was discovered by Guang Gong from security software vendor Qihoo360 at the MobilePwn2Own at the PacSec conference in Tokyo, and involves manipulation of the V8 JavaScript engine.
Detailed information about the exploit wasn’t presented, but Gong says that it took three months of work ahead of the competition.
It looks like those efforts will now pay off though, as Gong has won a trip to the CanSecWest security conference next year. A member of Google’s security team was also present and took the exploit details back to HQ, so it’s likely Gong will receive a bug bounty too.
While it’s not the first exploit that allows hackers to install apps and carry out other nefarious activities remotely, the simplicity of a single malicious link giving full control is just a little bit scary.
And don’t go thinking a brand new phone won’t be susceptible – the exploit was demonstrated on a Nexus 6.
➤Latest Android phones hijacked with tidy one-stop-Chrome-pop [The Register]
Get the TNW newsletter
Get the most important tech news in your inbox each week.