Google researchers found a serious vulnerability flaw on a number of Android devices. The phones in question are the Pixel, Pixel 2, Huawei P20, Samsung Galaxy S7, S8 and S9. Xiaomi Redmi 5A, Redmi Note 5, Xiaomi A1, Oppo A3 and Moto Z3 are also on the list and require additional patching.
Google says it found the flaw seven days ago. But it’s not as serious as it sounds because it requires a malicious software with the user’s permission. However, it’s strange that they do not maintained the patch pushed back in December 2017 in subsequent versions.
Google finds Android zero-day impacting Pixel, Samsung, Huawei,Xiaomi devices. Older Android OS versions patched this vulnerability, but resurfaced in newer releases.
Google disclosed today that they found evidence of an Android unpatched vulnerability. A so called “zero-day” is used in attacks in the real world.
The vulnerability resides in the Android operating system’s kernel code. It can be used to help an attacker gain root access to the device. Ironically, the vulnerability was patched in December 2017 in Android kernel versions 3.18, 4.14, 4.4, and 4.9, but newer versions were found to be vulnerable.
Google researchers believe that the vulnerability impacts the following Android phone models, running Android 8.x and later:
1.Pixel 2 with Android 9 and Android 10 preview
3.Xiaomi Redmi 5A
4.Xiaomi Redmi Note 5
8.Oreo LG phones
9.Samsung S7, S8, S9
Google researchers also said that, “exploit requires little or no per-device customization”. It mean it should be able to work on a wide range of handsets, although they have not confirmed this with manual reviews, as they did for the devices listed above.
Google: Zero-day linked to NSO Group
Google’s Project Zero team discovered the vulnerability. Company’s Threat Analysis Group later (TAG) confirmed it’s utilization in real-world attacks. There are the two teams that discovered the fact : last month they used a batch of 14 zero-days against iOS users. https://en.m.wikipedia.org/wiki/Zero-day_(computing)
However, the Android zero-day and the iOS zero-days appear to be unrelated. Subsequently, the attacks on iOS users are linked with A Chinese state-sponsored group. They conduct surveillance operations against their own citizens. Google has not released the details about the Android zero-day.
Google’s TAG said it believes the Android zero-day is the work of NSO Group. It is a well-known Israeli-based company which sell exploits and surveillance tools. Besides, People criticized the company for selling hacking tools to oppressive regimes. But facing rising criticism, has recently pledged to fight customers who abuse its toSmols to spy on innocents or political opponents.
Not as dangerous vulnerability as it could have been
The good news is that the Android zero-day is not as dangerous as other past zero-days. For starters, it’s not an RCE ( remote code execution) that can be exploited without user interaction. There are certain conditions that need to be met before an attacker can exploit this vulnerability.
Android rated his issue as High severity. It, by itself, requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit.
Notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update. CVE-2019-2215 is now tracking the Zero-day. This bug tracker entry from the Project Zero team holds proof-of-concept code.