A recently disclosed vulnerability in Chrome for Android could allow an attacker to gain full control over nearly any Android device.

Quihoo 360 researcher Guang Gong showcased the exploit during the recent MobilePwn2Own segment of the PacSec conference in Tokyo. Using a Google Project Fi Nexus 6, Gong visited a malicious website that took advantage of a vulnerability targeting the JavaScript v8 engine. This allowed the researcher to install an arbitrary application (a BMX bike game), demonstrating complete control of the smartphone.

PacSec organizer Dragos Ruiu said the impressive thing about the exploit is the fact that it was one shot. Most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction, he said.

As a security researcher, Gong had no intentions of publically disclosing the inner workings of the exploit. Instead, he handed the details off to a Google security engineer in attendance who will take the exploit back to Google for futher testing. Gong said he had been working on developing the exploit for three months and believes it affects every version of Android running the latest version of Chrome.

The researcher won a trip to the CanSecWest security conference in March for his efforts and will likely receive a cash reward from Google as part of its bug bounty program.