Posting on Facebook, PacSec organizer Dragos Ruiu stated that:
The actual panel title from the conference gives some idea how the exploit works. Guang Gong of Chinese software company Qihoo 360, who revealed the exploit, spoke on the topic of: “Exploiting Heap Corruption due to Integer Overflow in Android libcutils — Escalate privilege by vulnerabilities in Android system services: How to exploit CVE20151528 to get system_server permission in Android.” According to The Register, a Google security expert was at the conference, and a patch or update from Google is to be expected soon.
Given the nature of the exploit, Android tablets and even mini-PC Android TV sticks running Chrome are likely to be equally vulnerable. And existing mobile security apps and firewalls will likely provide no defense against it. The Register hadn’t received any response from Google on its request for comment at the time of writing.
There’s no sign yet that this vulnerability has been exploited in any malware or other malicious hack. But until a patch is announced, Android users might want to limit their mobile browsing to known, safe sites, or use other browsers than Chrome.