Google’s Project Zero research group has highlighted a zero-day vulnerability in the Android operating system that allows malicious parties to attain complete control of victims’ smartphones.
According to Google Project Zero member Maddie Stone, there is evidence that the exploit is being used in the wild, which is why it has de-restricted the bug seven days after reporting it to Android.
The bug affects at least 18 Android smartphones, including the following:
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7
- Samsung S8
- Samsung S9
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” explained Stone.
“If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
Android released a statement highlighting that the issue is “high” in severity.
“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit.”
“We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”
It s not certain when the exploit will be patched on non-Pixel devices.