Google Discloses Android Zero Day Vulnerability on Pixel, Samsung, Huawei, Xiaomi Phones

The vulnerability has been exploited by a company called the NSO Group based in Israel.

Share on Facebook Tweet Share Reddit Comment
Google Discloses Android Zero Day Vulnerability on Pixel, Samsung, Huawei, Xiaomi Phones

Google has already told its Android partners about the issue

Highlights
  • The flaw can be used by an attacker to gain root access of a device
  • Pixel 3 series is not vulnerable, Pixel, Pixel 2 to get patch soon
  • The patch available on the Android Common Kernel as well

Google has discovered a security flaw in its Android OS' kernel code that is not only affecting its Pixel phones, but also phones from Samsung, Huawei, Xiaomi, and others. A similar Android OS flaw was fixed in 2017, but it has now cropped up on newer software versions as well. This vulnerability has been given the zero-day status as instances of it being used in the real world have been found. The vulnerability has been exploited by a company called the NSO Group based in Israel. This company is known for creating exploits, including a mobile spyware called Pegasus.

Google has published the proof of concept for the Android OS vulnerability, so users can check if it affects other devices as well. The tech giant confirms that affected devices include Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Huawei P20, Redmi 5A, Redmi Note 5, Mi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung Galaxy S7, Samsung Galaxy S8, and Samsung Galaxy S9. There's no guarantee that other devices aren't vulnerable, and therefore the proof of concept will help in ascertaining and adding to the list.

The vulnerability can be exploited when the target installs a malicious app, therefore rendering it less dangerous than the others. "This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” Project Zero member Tim Willis wrote below the post. However, it can be used by an attacker to gain root access of a device."It is a kernel privilege escalation using a use-after free vulnerability, accessible from inside the Chrome sandbox," the post adds.

Google says that it has already notified its Android partners, and has made the patch available on the Android Common Kernel as well. Pixel and Pixel 2 users will get the patch alongside the October update. Pixel 3 series is not vulnerable to this exploit. Project Zero normally offers a 90-day breather for developers to fix an issue before making it public, but in the event of active exploits, the vulnerability was published in just seven days. The Android Project Zero page adds that an Android exploit attributed to the NSO Group was found, and that the bug was allegedly being used or sold by the NSO Group.

We recommend that you update your Pixel phones as soon as you receive the October patch, and hopefully OEMs should release the patch to affected devices soon.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Tasneem Akolawala When not expelling tech wisdom, Tasneem feeds on good stories that strike on all those emotional chords. She loves road trips, a good laugh, and interesting people. She binges on movies, sitcoms, food, books, and DIY videos. More
YouTube Music to Get Three Personalised Spotify-Like Playlists This Month
EA’s FIFA 20 Global Series Registration Page Leaked Personal Data of Players, Now Taken Down
 
 

Advertisement

 

Advertisement

© Copyright Red Pixels Ventures Limited 2019. All rights reserved.