Researchers from Googles’ Elite bug hunting group, Project Zero, have reported the existence of a bug in Pixel, Xiaomi, and Huawei devices.
The vulnerability was patched earlier in December 2017 in Android kernel versions 3.18, 4.14, 4.4, and 4.9. Surprisingly, newer versions of Android have been found vulnerable to the flaw again.
Google’s Project Zero team says the bug could be exploited by an attacker to gain root access to a device. The phones affected by the flaw are only devices that run Android 8.x or later including the following;
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7, S8, S9
Apart from the devices listed above, the team also noted that the bug “exploit requires little or no per-device customization,” so this may also affect other devices as well.
The good news is the exploit is not an RCE (Remote Code Execution), which means it cannot be executed with no user interaction. However, the installation of malicious applications from untrusted sources could pave the way for an attacker to hijack your device. Besides, attackers can also exploit the flaw if they pair it with vulnerabilities in the Chrome browser to render content.
“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” a spokesperson for the Android Open Source Project said.