Though we don't have the exact details of how it works, a new exploit for Android devices can allegedly bypass the devices' security systems in one shot. The attack, which uses some kind of JavaScript v8 exploit, can give said attacker complete administrative access to one's device. And once that happens, the attacker can load any app he or she wants onto an Android phone, which could become a gateway for even more malware (or more exploits).

Quihoo 360 researcher Guang Gong showed off the attack at the Pwn2Own panel at yesterday's PacSec conference in Tokyo. The most interesting thing about the demonstrated exploit is that an attacker doesn't have to take advantage of any other separate exploits first. All a person has to do is use Chrome to visit a compromised website with the new exploit loaded in, and that's it. Smartphone attacked.

"The impressive thing about Guang's exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction," said PacSec organiser Dragos Ruiu, in an interview with Vulture South.

"As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone."

Bad news for those looking to take advantage of said exploit for their own nefarious purposes: Google representatives were alerted to the bug at the conference. Since Gong didn't spill the details publicly about how the exploit works, he likely qualifies for some kind of cash reward via Google's bug bounty programs. Exactly how much he might get remains a mystery at this point, as there are a number of factors that go into figuring out just how much exploit reporters receive for their efforts.

Related Android Stagefright Exploit Released to the Public

"In essence, our pledge to you is to respond promptly and fix bugs in a sensible timeframe - and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will usually not qualify, but we will evaluate them on a case-by-case basis," reads Google's description.

Further Reading

Security Reviews