In its warning, Google says 18 smartphones are affected. Among them are the company’s own Pixel flagships, and handsets built by Xiaomi, Huawei, and Samsung. According to Google, the Android zero-day has already been observed in the wild. By exploiting the bug, a bad actor can gain complete control over a smartphone. The vulnerability was disclosed by Google’s Project Zero threat detection division late last week. The company says the bug has probably been exploited by knows Israeli group NSO Group Technologies. This company has often been criticized for exploiting bugs and selling zero-days to governments. In a blog post, Project Zero’s Maddie Stone says there is some evidence that the exploit has “allegedly being used or sold by the NSO Group.” NSO Group has denied any involvement with the vulnerability.
Attack
Stone also said the flaw (CVE-2019-2215) has several methods of exploit. For example, a bad actor could use the classic trick of fooling users into downloading a rogue app. Attackers could also link the bug to another vulnerability in code through Google’s Chrome browser. “It is a kernel privilege escalation [bug] using a use-after free vulnerability, accessible from inside the Chrome sandbox,” Stone said. “The vulnerability is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain, leading to us suspecting Binder as the vulnerable component.” Google has promised a patch is coming: “Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.” Vulnerable devices: Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung S7, Samsung S8 and Samsung S9.