Google’s team of security researchers responsible for reporting zero-day vulnerabilities, known as Project Zero, recently discovered an unpatched exploit in Android that’s being used in real-life attacks. This vulnerability affects smartphones from popular OEMs like Samsung, Xiaomi, and Huawei. Even Google’s older Pixel phones are impacted as well.
This vulnerability resides in the Android kernel source and was first discovered back in 2017, which is also when it was patched. This included the 4.14 LTS kernel, as well as AOSP Android 3.18, 4.4, and 4.9 kernels, but the vulnerability again popped up in newer versions of Android.
Smartphones running Android 8.0 or later could be affected by the exploit, which Project Zero says doesn’t require per-device customization. This means the hackers can attack a ton of different devices using the same malicious technique. They don’t require in-person access to the device and could gain root access simply by making users sideload a malicious app.
Here’s the complete list of devices affected by the zero-day vulnerability, which is flagged as high priority by Google –
- Pixel 1/ Pixel 1 XL
- Pixel 2/ Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Android Oreo LG phones
- Samsung Galaxy S7
- Samsung Galaxy S8
- Samsung Galaxy S9
Google’s Project Zero team may have discovered the vulnerability, but it’s the Threat Analysis Group (TAG) that confirmed its use in real-life attacks on affected devices. It believes the NSO Group, a popular Israeli-based company known to sell exploits and surveillance tools, is behind the zero-day attacks. However, NSO has denied Google’s accusations.
The Project Zero team mentions that the aforementioned isn’t an exhaustive list and a number of devices have already been exploited using this bug. Google will release the October security patch, which should arrive next week, with a fix for this vulnerability. Other OEMs listed above are expected to follow suit in the coming weeks.