Google Discloses Android Zero Day Vulnerability on Pixel, Samsung, Huawei, Xiaomi Phones

The vulnerability has been exploited by a company called the NSO Group based in Israel.

Share on Facebook Tweet Snapchat Share Reddit Comment
Google Discloses Android Zero Day Vulnerability on Pixel, Samsung, Huawei, Xiaomi Phones

Google has already told its Android partners about the issue

Highlights
  • The flaw can be used by an attacker to gain root access of a device
  • Pixel 3 series is not vulnerable, Pixel, Pixel 2 to get patch soon
  • The patch available on the Android Common Kernel as well

Google has discovered a security flaw in its Android OS' kernel code that is not only affecting its Pixel phones, but also phones from Samsung, Huawei, Xiaomi, and others. A similar Android OS flaw was fixed in 2017, but it has now cropped up on newer software versions as well. This vulnerability has been given the zero-day status as instances of it being used in the real world have been found. The vulnerability has been exploited by a company called the NSO Group based in Israel. This company is known for creating exploits, including a mobile spyware called Pegasus.

Google has published the proof of concept for the Android OS vulnerability, so users can check if it affects other devices as well. The tech giant confirms that affected devices include Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Huawei P20, Redmi 5A, Redmi Note 5, Mi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung Galaxy S7, Samsung Galaxy S8, and Samsung Galaxy S9. There's no guarantee that other devices aren't vulnerable, and therefore the proof of concept will help in ascertaining and adding to the list.

The vulnerability can be exploited when the target installs a malicious app, therefore rendering it less dangerous than the others. "This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” Project Zero member Tim Willis wrote below the post. However, it can be used by an attacker to gain root access of a device."It is a kernel privilege escalation using a use-after free vulnerability, accessible from inside the Chrome sandbox," the post adds.

Google says that it has already notified its Android partners, and has made the patch available on the Android Common Kernel as well. Pixel and Pixel 2 users will get the patch alongside the October update. Pixel 3 series is not vulnerable to this exploit. Project Zero normally offers a 90-day breather for developers to fix an issue before making it public, but in the event of active exploits, the vulnerability was published in just seven days. The Android Project Zero page adds that an Android exploit attributed to the NSO Group was found, and that the bug was allegedly being used or sold by the NSO Group.

We recommend that you update your Pixel phones as soon as you receive the October patch, and hopefully OEMs should release the patch to affected devices soon.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Tasneem Akolawala Tasneem Akolawala is a Senior Reporter for Gadgets 360. Her reporting expertise encompasses smartphones, wearables, apps, social media, and the overall tech industry. She reports out of Mumbai, and also writes about the ups and downs in the Indian telecom sector. Tasneem can be reached on Twitter at @MuteRiot, and leads, tips, and releases can be sent to tasneema@ndtv.com. More
YouTube Music to Get Three Personalised Spotify-Like Playlists This Month
EA’s FIFA 20 Global Series Registration Page Leaked Personal Data of Players, Now Taken Down

Related Stories

 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2020. All rights reserved.
Listen to the latest songs, only on JioSaavn.com