Google Project Zero Team Analysts discovered Android kernel is a dangerous bug that many Android devices are vulnerable to. According to researchers, this zero-day vulnerability is already under attack. The problem may help an attacker gain root access to the target device.
This vulnerability was originally fixed in the 4.14 LTS Linux kernel back in December 2017. This fix was included in Android 3.18, 4.14, 4.4, and 4.9 kernels, however, newer versions remained vulnerable for some reason. As a result, the bug may still pose a threat to the following models of Android devices running Android 8.x and newer:
- Pixel 2 running Android 9 and Android 10 preview;
- Huawei P20;
- Xiaomi Redmi 5A;
- Xiaomi Redmi Note 5;
- Xiaomi A1;
- Oppo A3;
- Moto Z3;
- Oreo LG smartphones
- Samsung S7, S8, S9.
Even worse, experts write that the exploit for the vulnerability, which now bears the identifier CVE-2019-2215, is universal enough to suit any of these models with minimal modifications.
Google Specialists considerthat the exploit they found for CVE-2019-2215 is the work of the notorious Israeli company NSO Group. Let me remind you that the NSO Group was founded in 2010 and has since been engaged in the development of various legal malvari, which, along with exploits for various 0-days, it is sold to governments and special services around the world. The company became widely known in 2016-2017, when information security specialists discovered the powerful spy tools Pegasus and Chrysaor, developed by the NSO Group and designed for iOS and Android.
ZDNet representatives have already answered these allegations and media reportedThat have nothing to do with the exploit:
“The NSO Group has not and will never sell exploits or vulnerabilities. This exploit has nothing to do with NSO, and our work is focused on creating products designed for licensed intelligence and law enforcement agencies that save lives. ”
Fortunately, there is good news. Fresh 0-day did not receive critical status, since this is not an RCE vulnerability that could be exploited without any user interaction. To exploit this problem, a number of conditions will need to be met. So, an attacker will need to install a malicious application on the target device to operate the bug. Any other attack vectors, for example, through a browser, will require the creation of a chain of exploits using other, additional vulnerabilities.
The patch for the zero day problem is already available on Android Common Kernel. Pixel 3 and 3a smartphones are at all risk areas, while Pixel 1 and 2 devices should receive updates for this vulnerability as part of the October update.