Researchers from Googles’ Elite bug hunting group, Project Zero, have reported the existence of a bug in Pixel, Xiaomi, and Huawei devices.
The vulnerability was patched earlier in December 2017 in Android kernel versions 3.18, 4.14, 4.4, and 4.9. Surprisingly, newer versions of Android have been found vulnerable to the flaw again.
Google’s Project Zero team says the bug could be exploited by an attacker to gain root access to a device. The phones affected by the flaw are only devices that run Android 8.x or later including the following;
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7, S8, S9
Apart from the devices listed above, the team also noted that the bug “exploit requires little or no per-device customization,” so this may also affect other devices as well.
The good news is the exploit is not an RCE (Remote Code Execution), which means it cannot be executed with no user interaction. However, the installation of malicious applications from untrusted sources could pave the way for an attacker to hijack your device. Besides, attackers can also exploit the flaw if they pair it with vulnerabilities in the Chrome browser to render content.
“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” a spokesperson for the Android Open Source Project said.
The Android team said, “We have notified Android partners, and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”
Google’s Project Zero team stated the bug is already being exploited in the real world and has linked the attacks to the Israel-based NSO group popularly known for selling exploits and surveillance tools. In response, the NSO group denied responsibility for this attack.
“NSO did not sell and will never sell exploits or vulnerabilities,” an NSO Group spokesperson said in a statement to ZDNet.
“This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”
Until the issue has been patched, don’t install apps from untrusted sources and also use alternate browsers such as Firefox or Brave.