A zero-day vulnerability gives attackers full control of Android phones
At least 18 different phone models are vulnerable to a zero-day vulnerability in Google’s Android mobile operating system that’s being exploited by attackers.
At this time there has been reported evidence that the vulnerability is being actively exploited by exploit developer NSO Group or one of its customers. NSO refutes that claim.
The exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two different ways: (1) When a target installs an untrusted app, or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code that the Chrome browser uses to render content.
A member of Google’s Project Zero, Maddie Stone, stated that “The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device.” Stone went on to state, “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
Some of the phones that are affected by this vulnerability are:
Pixel 1
Pixel 1 XL
Pixel 2
Pixel 2 XL
Huawei P20
Xiaomi Redmi 5A
Xiaomi Redmi Note 5
Xiaomi A1
Oppo A3
Moto Z3
Oreo LG phones
Samsung S7
Samsung S8
Samsung S9
In the Project Zero thread, a member of Google’s Android team stated that the vulnerability would be patched in Pixel devices in the October Android security update. The schedule for other devices to be patched wasn’t immediately available, though Google stated that a patch has been made available to partners. The Pixel 3 and Pixel 3a devices are not affected.
Another Project Zero member, Tim Willis, wrote, “This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require changing with an additional exploit.”
While this vulnerability is serious, the chances of being exploited by attacks as expensive and targeted as the one described by Project Zero are extremely slim. For safety’s sake though, it would make sense to hold off on installing any non-essential apps, and to use a non-Chrome browser until after the patch is installed.
As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648