Google Finds Zero-Day Android Exploit Affecting Pixel, Samsung, and More
Another day, another security exploit report from Google’s Project Zero team. This time, the vulnerability is in the company’s own Android operating system, which will no doubt please Apple. The exploit affects a handful of phones from Google, Samsung, Huawei, and others. Google also notes there is evidence the exploit is already active in the wild.
The vulnerability is part of the Android system kernel and can allow an attacker to gain root access on a phone. That means they could access data, modify system apps, track your location, and more. Strangely, Google identified this vulnerability in late 2017 and added a patch to the Android code. However, the patch was not carried over into newer versions of Android (8.0 and later) on some phones.
Currently, Google has identified several phones that are exploitable via this kernel flaw, including but not limited to Google’s own Pixel 2, the Huawei P20, Xiaomi Redmi Note 5, LG’s Oreo phones, and the Samsung Galaxy S8 through S9 family. Because the exploit exists at a very low level in the system, it requires almost no per-device customization.
Google says Israeli security firm NSO Group has been actively using the exploit, a claim the company denies. NSO may simply be denying that it’s engaged in any hacks itself, and that may be true — it could simply be helping others to do it. NSO Group has long been under fire for making mobile phone hacking tools, which it sells to oppressive governments that use them to spy on activists and protesters.
A zero-day vulnerability is never a good thing, but this one could have been much worse. The only way to compromise a device with this vulnerability is by installing an app. It’s not a remote code execution flaw, so Google has rated the vulnerability as “high” instead of “severe.” Google’s Play Protect system knows about this exploit, so it should never show up in any sketchy Play Store apps. Thus, the only way to infect a device is to trick someone into sideloading an APK via the browser or some other app. Users will have to jump through some hoops to make that happen thanks to Android’s current security model.
Google’s latest October system patches squash this bug once and for all. Google devices like the Pixel 2 will probably get that update in the coming days. However, other vulnerable phones will have to wait for OEMs to create new customized builds of the OS. In the meantime, be careful what you install from shady corners of the internet.