The unpatched and zero-day vulnerability has been acknowledged as of high severity by Google. Android users should beware of a major Android bug which gives access to smartphones. We are expecting the security patches for the bug to release soon.
According to a recent discovery, a zero-day vulnerability has been spotted affecting certain older kernel versions of Android. The bug affects Android smartphones such as the Google Pixel 2, Mi A1, Redmi Note 5, Samsung Galaxy S9 and more.
Google’s security researcher, Maddie Stone discovered the vulnerability. He reports the vulnerability exploits a local and in-device privilege scope to cause an attack. The vulnerability then escalates the privilege of the attacker’s app or service to gain root access to the concerned phone.
The report further states that while only a local-level exploit is possible if the malware gets injects through physical sources. While injecting it through the internet can also give attackers full remote access to these affected devices. The vulnerability affects certain versions of the Android kernel, which are not updated to the very latest version.
Important to note that even the most recent software patches on phones with older kernels would be rendered ineffective against this bug. The Stone demonstrated by showing the flaw in action on a Google Pixel 2 smartphone running Android 10 with September 2019 security patch.
Disclosed by Stone in the Google Project Zero blog, the list of affected devices right now include Google’s Pixel 1, 1XL, 2 and 2XL, Huawei P20, Xiaomi’s Redmi 5A, Redmi Note 5 and Mi A1, Moto Z3, Oppo A3. It also affects all LG smartphones running on Android Oreo, and Samsung’s flagships from the past three years like Galaxy S7, Galaxy S8 and Galaxy S9.
The original post by Google states that it is already in use by Israel’s surveillance agency and the NSO Group. They might be offering its services to the government itself or to officially backed agencies.
Google has also disclosed its course of action against vulnerability. The company states, “This issue rates high severity on Android. The bug by itself requires the installation of a malicious application for potential exploitation.
Any other vectors, such as via a web browser require chaining with an additional exploit. Google has notified Android partners, and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable. While, Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.
As a result, be sure to look out for the latest update on your phone which should be rolling out over the next couple of weeks. The update will deliver the critical security patch. It will cover yet another critical bug that could still have a devastating effect on those not aware of it.