At least 18 phone models are affected by a zero-day vulnerability in Google’s Android system that can give full control of the devices to Attackers, a member of Google’s Project Zero research group said on Thursday night.
A post from the security group suggests it found the bug last week, and attackers were exploiting it at that moment. The post notes the exploit requires no or minimal customization to root a phone that’s exposed to the bug.
Arstechnica notes that there are two different ways attackers can use the exploit: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Project Zero member Maddie Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
The devices affected include Google's Pixel models, as well as phones from Chinese manufactures including Huawei, Xiaomi and OPPO.
Here is a “non-exhaustive list” of vulnerable phones:
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7
- Samsung S8
- Samsung S9
The Android team says it has informed phone makers to issue a patch:
We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.
The researchers speculate the bug is being used by NSO, an Isreal-based group known to sell tools to authorities to exploit iOS and Android.
“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” Tim Willis, another Project Zero member, wrote, citing Android team members. “Any other vectors, such as via web browser, require chaining with an additional exploit.”