Google’s old Android vulnerability found being exploited in the wild

Google’s Project Zero Day security researchers revealed on Thursday that a critical zero-day vulnerability has been detected in the wild. Previously, this same bug had affected older Android kernel versions 3.18, 4.14, 4.4, and 4.9, but was later patched by Google in December 2017. Apparently, this bug is now affecting newer Android kernel versions, reports ZDNet.

According to the researchers, Android phone models, running Android 8.x and later (unless specified otherwise), are believed to be affected by this vulnerability, which includes:

  • Pixel 2 with Android 9 and Android 10 preview
  • Huawei P20
  • Xiaomi Redmi 5A
  • Xiaomi Redmi Note 5
  • Xiaomi A1
  • Oppo A3
  • Moto Z3
  • Oreo LG phones
  • Samsung Galaxy S7
  • Samsung Galaxy S8
  • Samsung Galaxy S9

However, the good news is that the exploit doesn’t work on Pixel 3, 3 XL, and 3a smartphones.

While Google researchers said that the “exploit requires little or no per-device customization,” which means that it should be able to work on multiple range of other handsets. Currently, there is no evidence that other devices are affected by the bug other than the ones listed above.

Google’s Threat Analysis Group (TAG) also confirmed that the vulnerability is already being exploited and used in real-world attacks by threat actors. TAG believes that NSO Group, a well-known Israeli-based company that sells exploits and surveillance tools to governments, is behind the Android zero-day vulnerability in the wild.

However, NSO denied that they are behind the exploit. “NSO did not sell and will never sell exploits or vulnerabilities,” an NSO Group spokesperson told ZDNet. “This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”

The good news is that the Android zero-day is not as risky as previous zero-day vulnerabilities. In order for the vulnerability to work, certain conditions need to be met before it can be exploited.

Firstly, users need to install an untrusted malicious application. Secondly, the bug needs to be merged with another Chrome rendering exploit to be abused via the browser. As a result, this critical flaw being tracked as CVE-2019-2215 is not an RCE ( remote code execution) that can be exploited with no user interaction.

Google’s Android security research team had been notified about the exploit seven days before it was publicly announced on October 4. The search giant would be releasing a patch to fix this vulnerability in Android’s October security patch.

“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” a spokesperson for the Android Open Source Project team said.

“We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”

Meanwhile, it is recommended that the users of the vulnerable devices tread caution and avoid downloading any apps from untrusted sources.