A researcher at Quihoo 360 recently discovered an exploit in Chrome that can probably demolish even the newest, most up-to-date Android devices if the user visits an infected site.

The vulnerability was exposed at PacSec’s MobilePwn2Own event. What makes the exploit particularly unsettling is that it’s just one exploit, not an elaborate chain of exploits that interlink to reach an eventual compromise. Although the showcase did not go into the precise details regarding how the exploit works, it was revealed that it takes advantage of a vulnerability in JavaScript v8.

See also: New Android adware reportedly “nearly impossible” to remove101

The researcher who discovered the exploit is Guang Gong, and PacSec will be rewarding Guang for uncovering and releasing the exploit by flying him to the CanSecWest security conference for a ski trip in March of 2016. In addition to this, Google will also likely pay a bounty for the bug’s discovery, as a Google security representative at the event took Guang’s work back for consideration.

The vulnerability took the researcher three months of development to fully flesh out, but when he demonstrated it, the method proved scarily smooth and efficient. A Nexus 6, after visiting an unremarkable web address laced with the malicious script, was able to be taken over entirely by Guang, who used this access to download a BMX bike game on the device.

PacSec’s organizer, Dragos Ruiu, reported that this vulnerability should work on any Android device since it hits the JavaScript engine. Soon after the exploit’s reveal, a German team claims to have been able to replicate it on a Samsung device.

Pretty spooky stuff, all in all.

What are your thoughts on this compromise? Let us know in the comments below.