A hacking contest paid out $117,500 in prizes this week for exploits against handheld devices – and the biggest winner was “Pinkie Pie”, an under-21 hacker who used drive-by attacks to take over a Samsung Galaxy S4 and a Nexus 4, both of which run Android.
Ars Technica described Mobile Pwn2Own as “making sport out of serious security bugs,” in its report, and said that Pinkie Pie’s hacks relied on vulnerabilities in Google’s Chrome Browser.
Pinkie Pie’s hacks drew applause from the audience – using a malicious site to compromise the devices, and then executing code on both the Nexus 4 and Samsung Galaxy S4, according to The Register’s report.
Heather Goudey, a senior security content developer at HP, which sponsors the contest, wrote, “Within minutes, we had witnessed a successful exploit on two different devices and were ready to pay $50,000 USD for the privilege. Pinkie Pie compromised Chrome on both a Nexus 4 and a Samsung Galaxy S4 just for good measure.”
“The exploit took advantage of two vulnerabilities – an integer overflow that affects Chrome and another Chrome vulnerability that resulted in a full sandbox escape. The implications for this vulnerability are the possibility of remote code execution on the affected device.”
Cybercriminals are increasingly targeting Android devices, with malware detections rising in China and the West, according to a We Live Security report.
A We Live Security guide to making your Android device more secure, using built-in tools, can be found here.
Author Rob Waugh, We Live Security