A zero-day vulnerability gives attackers full control of Android phones

At least 18 different phone models are vulnerable to a zero-day vulnerability in Google’s Android mobile operating system that’s being exploited by attackers.

At this time there has been reported evidence that the vulnerability is being actively exploited by exploit developer NSO Group or one of its customers. NSO refutes that claim.

The exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two different ways: (1) When a target installs an untrusted app, or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code that the Chrome browser uses to render content.

A member of Google’s Project Zero, Maddie Stone, stated that “The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device.” Stone went on to state, “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

Some of the phones that are affected by this vulnerability are:

Pixel 1

Pixel 1 XL

Pixel 2

Pixel 2 XL

Huawei P20

Xiaomi Redmi 5A

Xiaomi Redmi Note 5

Xiaomi A1

Oppo A3

Moto Z3

Oreo LG phones

Samsung S7

Samsung S8

Samsung S9

In the Project Zero thread, a member of Google’s Android team stated that the vulnerability would be patched in Pixel devices in the October Android security update. The schedule for other devices to be patched wasn’t immediately available, though Google stated that a patch has been made available to partners. The Pixel 3 and Pixel 3a devices are not affected.

Another Project Zero member, Tim Willis, wrote, “This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require changing with an additional exploit.”

While this vulnerability is serious, the chances of being exploited by attacks as expensive and targeted as the one described by Project Zero are extremely slim. For safety’s sake though, it would make sense to hold off on installing any non-essential apps, and to use a non-Chrome browser until after the patch is installed.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648