A recently discovered, zero day vulnerability has been spotted affecting certain older kernel versions of Android, in turn affecting a wide range of popular Android smartphones such as the Google Pixel 2, Mi A1, Redmi Note 5, Samsung Galaxy S9 and more. According to a report by Google’s security researcher Maddie Stone (who discovered it), the vulnerability exploits a local, in-device privilege scope to cause an attack, which then escalates the privilege of the attacker’s app or service to gain root access of the concerned phone. Subsequently, the flaw is designed to take over full control of the affected devices.
The report further states that while only a local-level exploit is possible if the malware is injected through physical sources, injecting it through the internet can also give attackers full remote access to these affected devices. The vulnerability affects certain versions of the Android kernel, which have not been updated to the very latest one. It is important to note that even the most recent software patches on phones with older kernels would be rendered ineffective against this vulnerability, as Stone demonstrated by showing the flaw in action on a Google Pixel 2 smartphone running Android 10 with September 2019 security patch.
As disclosed by Stone in the Google Project Zero blog, the list of affected devices right now include Google’s Pixel 1, 1XL, 2 and 2XL, Huawei P20, Xiaomi’s Redmi 5A, Redmi Note 5 and Mi A1, Moto Z3, Oppo A3, all LG smartphones running on Android Oreo, and Samsung’s flagships from the past three years — Galaxy S7, Galaxy S8 and Galaxy S9. Given that a lot of the devices mentioned here were sold in healthy numbers, this makes the vulnerability even riskier, since it extends to the possibility of widespread surveillance being enforced, through Android.
In fact, the original Google post states that it is already in use by Israel’s surveillance agency, the NSO Group, who might be offering its services to the government itself, or to officially backed agencies. Google has disclosed its course of action against the vulnerability, stating, “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners, and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”
As a result, be sure to look out for the latest update on your phone(s), which should be rolling out over the next couple of weeks. The update will deliver the critical security patch, covering yet another critical zero-day bug that could still have devastating effect on those not aware of it.