A zero-day vulnerability gives attackers full
control of Android phones
At least 18 different phone models are vulnerable to a zero-day
vulnerability in Google’s Android mobile operating system that’s being
exploited by attackers.
At this time there has been reported evidence that the
vulnerability is being actively exploited by exploit developer NSO Group or one
of its customers. NSO refutes that claim.
The exploits require little or no customization to fully
root vulnerable phones. The vulnerability can be exploited two different ways:
(1) When a target installs an untrusted app, or (2) for online attacks, by
combining the exploit with a second exploit targeting a vulnerability in code
that the Chrome browser uses to render content.
A member of Google’s Project Zero, Maddie Stone, stated
that “The bug is a local privilege escalation vulnerability that allows for a
full compromise of a vulnerable device.” Stone went on to state, “If the
exploit is delivered via the Web, it only needs to be paired with a renderer
exploit, as this vulnerability is accessible through the sandbox.”
Some of the phones that are affected by this vulnerability
Pixel 1 XL
Pixel 2 XL
Xiaomi Redmi 5A
Xiaomi Redmi Note 5
Oreo LG phones
In the Project Zero thread, a member of Google’s Android
team stated that the vulnerability would be patched in Pixel devices in the
October Android security update. The schedule for other devices to be patched
wasn’t immediately available, though Google stated that a patch has been made
available to partners. The Pixel 3 and Pixel 3a devices are not affected.
Another Project Zero member, Tim Willis, wrote, “This issue
is rated as high severity on Android and by itself requires installation of a
malicious application for potential exploitation. Any other vectors, such as
via web browser, require changing with an additional exploit.”
While this vulnerability is serious, the chances of being
exploited by attacks as expensive and targeted as the one described by Project
Zero are extremely slim. For safety’s sake though, it would make sense to hold
off on installing any non-essential apps, and to use a non-Chrome browser until
after the patch is installed.
if we can be of help with your network or computer, give us a call here at
RHYNO Networks. (855) 749-6648