A new vulnerability has been found in a Google Chrome exploit that targets JavaScript engine to let attackers hack almost any Android device. The exploit was showcased at MobilePwn2Own at the PacSec conference in Tokyo on 12 November.

Quihoo 360 researcher Guang Gong showcased the new Chrome exploit he developed over three months to a PSN2OWN panel at the conference, reports The Register. The exploit does not reportedly involve multiple vulnerabilities but is claimed to require a single clean attack through JavaScript V8 engine to provide backdoor access to hackers. "The impressive thing about Guang's exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction," PacSec organiser Dragos Ruiu told Vulture South in an interview.

Ruiu says the Chrome exploit was demonstrated on a new Project Fi Nexus 6, which probably runs on the Android 6.0 Marshmallow operating system. However, this doesn't mean that the vulnerability only exists on the Nexus range of hardware. It is claimed to exist on any Android smartphone that has the recent version of Chrome web browser.

"As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone," Ruiu said.

Google has already been notified about the vulnerability and a security bug bounty is expected to be announced for highlighting the exploit. However, Google has not yet acknowledged the presence of the bug.