Android users should update Chrome urgently after a vulnerability was found in the browser allowing attackers to gain root level access to Android phones. It is estimated that around half of all Android users could be affected.
The Android-specific vulnerability, which is identified as CVE-2020-16010, was reported by members of the Google Project Zero team. The vulnerability exists due to a heap-based buffer overflow that is triggered when Google Chrome on Android renders maliciously crafted HTML content. Successfully exploiting the vulnerability may allow the attacker to compromise the entire affected device.
The alert has come from Lookout, mobile security specialists who estimate that up to 50% of Android users globally are running an out of date version of Chrome for Android.
They conducted further analysis on this vulnerability and revealed a successful exploit could allow the actor to perform a sandbox escape via a crafted HTML page, which means the actor can gain access to Chrome’s capabilities without needing to root the device.
Mobile device management (MDM) tools will not detect a successful exploitation increasing the importance that Android users should update Chrome. In the event of a successful exploit, the attacker could have access to any capability that the browser has. This includes access to the camera and microphone, location data, browsing history, and more.