back to article Latest Android phones hijacked with tidy one-stop-Chrome-pop

Google's Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset. The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine. It can probably hose all modern and updated Android phones if …

  1. gerdesj Silver badge

    Good skills Guang, bad skills err pretty much everyone shipping software

    "The impressive thing about Guang's exploit is that it was one shot" - bugger! Goog have some of the best in the business, and lots of them, building their browser(s) and Android. They have to - it's a fundamental underpinning of their business: waving text n pics paid for by advertisers at a semi captive audience.

    However, one bloke on his own can pwn their stuff like this, which is bad for business. How bad? Not bad enough to spend real money on. Some, but not enough to make a real difference.

    For Goog to develop really safely will require an entire team of skilled security conscious programmer-auditors to shadow each and every one of their already pretty skilled developers who will audit code as it is checked in. That applies beyond Goog to include ... oooh look: squirrel.

    1. Anonymous Coward
      Anonymous Coward

      Re: Good skills Guang, bad skills err pretty much everyone shipping software

      require an entire team of skilled security conscious programmer-auditors to shadow each and every one of their already pretty skilled developers who will audit code as it is checked in.

      Nope, that's rework. In manufacturing, the better manufacturers worked out decades ago that it was better not to make junk, than to have to pay for it twice through rework or warranty. IT companies haven't made this connection, even after several decades of security snafus.

      The fundamental problem is that far too much code is vulnerable when written due to poor practice, with an expectation that testing will show the holes (which it often doesn't). The answer is not to have even more auditing, but to do the job properly in the first place. But because the owners of the code IP are not legally accountable for the faults in their output (though devious licence agreements), why pay higher rates for really good coders? Higher profits arise from shipping weak code put together by cheap programmers who don't care.

  2. Anonymous Coward
    Anonymous Coward

    Back to the drawing board.....

    ....for the NSA.

  3. Yugguy

    Any handset? Not mine.

    Chrome was the first thing to be disabled on my cyanogenos phone, along with all the other google shite, hangouts, cloud print, drive, android webview, google app, books, tv,play, text to speech, photos, talkback etc. etc.

    And you know what?

    I have not missed and do not need ANY of them.

    1. g e

      Re: Any handset? Not mine.

      So what, then, Dolphin ?

      Or do you mean you could actually still get by fine with a Nokia 6320 ?

      1. Yugguy

        Re: Any handset? Not mine.

        No - it's a Wileyfox Swift, an amazingly high-specced phone for its 130 pound price tag, its big brother the Storm being just as amazingly high-spec for its 200 pound price tag. There are an increasing number of cyanogenos phones coming out that are starting to make the high-end and even higher-priced mainstream efforts look like a pointless waste of money.

        I presume the down votes are from a Google web crawling drone. I can't think of a reason that an actual human being with presumed higher brain functions would wish to defend Google.

        1. sabroni Silver badge

          Re: Any handset? Not mine.

          You were being asked what browser you use to avoid this chrome vulnerability as Cyanogen isn't a browser, dolphin being the old android default browser.

          But thanks for the marketing message. Any downvotes will doubtless be someone with lower brain functions.

          1. JoeF

            Re: Any handset? Not mine.

            Firefox for Android is a good choice. I rarely use Chrome on Android.

          2. Yugguy

            Re: Any handset? Not mine.

            Ah-the question confused me as I presumed Dolphin was a form of phone as per the mentioned Nokia 6320.

            The standard CyanogenOS browser seems fine, but I also have the CM Browser.

            1. Yugguy

              Re: Any handset? Not mine.

              I'll stand my comment though, echoed on many reviews and forums, that part of the reason these cyanogenos phones are so good is that they're not laden down with either manufacturer or google bloatware that crucially you often have no way of disabling or removing.

            2. John Cupitt

              Re: Any handset? Not mine.

              The CyanogenOS browser is based on Chrome and is probably also vulnerable to this bug.


              The CM Browser is just a thin wrapper over Chrome and is probably also vulnerable to this bug.

              Firefox uses a different rendering and javascript engine, but will obviously also have bugs.

              The best way to avoid vulnerabilities is to use a well-supported browser and to keep up to date with the latest patches.

    2. Phil Kingston

      Re: Any handset? Not mine.

      Sounds like you installed the wrong ROM for you.

      But with you on going the non-mainstream handset choice.

  4. Anonymous Coward
    Anonymous Coward


    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft?

    People need to give themselves a shake and stop using MS products!

    1. Anonymous Blowhard

      Re: Surprise!

      Yes, Microsoft Android and Microsoft Chrome really do show how much Microsoft care about users of those products...

  5. NotWorkAdmin


    I wonder at what point it will become clear allowing remote code to execute locally is a bad idea.

    1. sabroni Silver badge

      Re: Javscript

      Just as soon as everyone becomes capable of writing all the apps they need themselves?

  6. dotdavid

    At least this is in Chrome rather than some Android core lib; you can get an update from the Play Store rather than waiting for carriers/manufacturers.

    Even the core WebView component is a Play Store app now, to help address that issue.

  7. sabroni Silver badge

    Single exploit gives total pwnage.

    If it was on Windows Phone this place would be full of smartarses mouthing off about how shit MS are. You know, how hacking a browser should never compromise core system components, how MS don't sandbox things properly and their security implementation is flawed.

    You never see that kind of helpful wisdom sharing on articles about Google vulnerabilities.

    1. Thecowking

      Re: Single exploit gives total pwnage.

      I think we just did.

      1. sabroni Silver badge

        Re: I think we just did.

        One smartarse isn't a forum full. Compare and contrast, both articles are 2 days old: Currently 108 comments currently 20 comments including this.

  8. oneeye

    javascript = ad networks !!

    Really surprised that the article did not mention ad networks that could be used to deliver the exploits. Which is a growing problem for mobile. But fortunately,there are several browsers now that blocking can be used on. Plus many apps that do this globally, including noroot firewall apps.

    The researcher Guang, is one of 360 s group that found the stagefright 2 vuln.,right after the first notices of the original vuln affecting mms. They had a blog post about the mp3,mp4 being a part of the stagefright vulnerabilities, months before Zimperium announced them. They also mentioned that file managers with media players were at risk. I know because I contacted the developer of the app I use. Total commander then updated with a warning notice for this vuln. placed before playing any media. The fix for stagefright 2 is finally in the update 5.1.1 os for AOSP. and Marshmallow has it too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022