Google has discovered a security flaw in its Android OS’ kernel code that is not only affecting its Pixel phones, but also phones from Samsung, Huawei, Xiaomi, and others. A similar Android OS flaw was fixed in 2017, but it has now cropped up on newer software versions as well. This vulnerability has been given the zero-day status as instances of it being used in the real world have been found. The vulnerability has been exploited by a company called the NSO Group based in Israel. This company is known for creating exploits, including a mobile spyware called Pegasus.
Google has published the proof of concept for the Android OS vulnerability, so users can check if it affects other devices as well. The tech giant confirms that affected devices include Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Huawei P20, Redmi 5A, Redmi Note 5, Mi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung Galaxy S7, Samsung Galaxy S8, and Samsung Galaxy S9. There’s no guarantee that other devices aren’t vulnerable, and therefore the proof of concept will help in ascertaining and adding to the list.
The vulnerability can be exploited when the target installs a malicious app, therefore rendering it less dangerous than the others. “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” Project Zero member Tim Willis wrote below the post. However, it can be used by an attacker to gain root access of a device.”It is a kernel privilege escalation using a use-after free vulnerability, accessible from inside the Chrome sandbox,” the post adds.
Google says that it has already notified its Android partners, and has made the patch available on the Android Common Kernel as well. Pixel and Pixel 2 users will get the patch alongside the October update. Pixel 3 series is not vulnerable to this exploit. Project Zero normally offers a 90-day breather for developers to fix an issue before making it public, but in the event of active exploits, the vulnerability was published in just seven days. The Android Project Zero page adds that an Android exploit attributed to the NSO Group was found, and that the bug was allegedly being used or sold by the NSO Group.
We recommend that you update your Pixel phones as soon as you receive the October patch, and hopefully OEMs should release the patch to affected devices soon.