Another day, another Android security bug.

A security researcher has discovered a gaping security hole in Android that leaves users extremely vulnerable to attackers remote hijacking their devices and executing arbitrary code in a single attack.  

Quihoo 360 researcher Guang Gong demonstrated his exploit at MobilePwn2Own at the PacSec conference in Tokyo. Gong did not reveal the details of the exploit to prevent malicious individuals from taking advantage of the information. However, he did say the exploit targets the JavaScript v8 engine, and users can easily fall prey to attackers by opening links to malicious websites.

The demonstration revealed Google's own Nexus 6 with Android 6.0 Marshmallow and running on Project Fi is vulnerable to the attack. His demonstration showed Gong successfully installing an arbitrary app, specifically BMX Bike, on a Nexus 6 without physically interacting with the device.

"The impressive thing about Guang's exploit is that it was one shot," says Dragos Ruiu, PacSec organizer, speaking to The Register's Vulture South. "Most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction."

Because the exploit takes advantage of the JavaScript engine, Ruiu says it can be easily recoded to be used against virtually every Android device on the planet.

"The vuln being used in recent version of Chrome should work on all Android phones," Ruiu says. "We were checking his exploit specifically but you could recode it for any Android target since he was hitting the JavaScript engine."

A Google security engineer who was present at the conference received the exploit to take it back to Mountain View for further testing and, hopefully, a speedy fix to patch up the hole. Gong is also expected to receive a considerable dollar sum through Google's bug bounty program for discovering the bug. Ruiu will also fly Gong to the CanSecWest security in Vancouver in March 2016.

This is not the first time security researchers have discovered huge, scary bugs in Android. Numerous vulnerabilities have been found in recent months, but the biggest of them is the Stagefright bug, which lets attackers take control of a device simply by sending a message.

Google has responded to news of Android security bugs continuously pouring in by promising to release monthly security patches. Unfortunately, these regular updates are only easily available to its line of Nexus devices. The majority of Android devices continue to be vulnerable. 

Photo: Claudia Rahanmetan | Flickr

ⓒ 2021 All rights reserved. Do not reproduce without permission.