Today at the EUSecWest conference “PWN2OWN” contest in Amsterdam, MWR labs used a zero-day exploit to pwn an Android based Galaxy S3. MWR Labs used Mercury (their custom made framework to find vulnerabilities) to grab text messages, contacts, pictures and more from the phone:
“MWR showed an exploit against a previously undiscovered vulnerability on a Samsung Galaxy S3 phone running Android 4.0.4. Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation.
The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.”
Check out their website for more information.