Google has found an unpatched vulnerability in kernel code of its proprietary Android operating system. The company says that this flaw has likely been used in attacks in the real world (zero-day) by gaining root access to the device. What’s interesting is that the vulnerability was patched in December 2017 in Android kernel versions 3.18, 4.14, 4.4, and 4.9, but apparently, it wasn’t taken forward with the newer versions.
Google researchers believe that the vulnerability has impacted the Android phone models running Android 8.x and later, which include Pixel 2 (with Android 9 and Android 10 preview), Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung S7, S8 and S9. According to the researchers, the ‘exploit requires little or no per-device customization,’ which means that it should be able to work on a wide range of handsets (via ZDNet).
The vulnerability was discovered by Google's Project Zero team that finds zero-day vulnerabilities, the secret hackable bugs that are exploited by criminals, state-sponsored hackers, and intelligence agencies. According to the team’s Threat Analysis Group, the flaw was used in real-world attacks by NSO Group -- an Israeli company that was under fire for that licenses its products (surveillance and hacking tools) to several organisations.
To put things in perspective, NSO Group was alleged to have helped cybercriminals inject spyware on people’s phones. The spyware, called Pegasus, was developed by NSO Group and it can turn on a phone's microphone and camera, and collect location data. The company was said to be involved in the WhatsApp voice call feature exploitation.
How exposed are we?
Google says that the Android zero-day is not as dangerous as other past zero-days, and it cannot be exploited without user interaction. ‘This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel,’ a spokesperson for the Android Open Source Project, was quoted as saying.
Pixel 3 and 3a devices were not vulnerable while Pixel 1 and 2 devices will receive updates for this issue as part of the October update. Google has reportedly notified Android partners and made the patch available for the Android Common Kernel.