Security researchers at Google’s Project Zero team have discovered a new zero-day vulnerability that allows hackers to take full control of several Android handsets, including the likes of popular smartphones such as Google Pixel and Galaxy S series flagships.
Security experts suggest that there are two different ways an attacker can use this vulnerability. In the first case, an attacker would require their target to install a malicious application on their handset. While in the second one, they would need to link the attack by targeting a vulnerability in a web browser.
The flaw happens to be a local privilege escalation which allows attackers to take full control of the device. Meanwhile, if the bug is delivered through the Internet, it only needs to be paired with a render exploit, as the flaw can be accessed via a sandbox.
The list of Android devices known to be vulnerable to the bug include Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung S7, Samsung S8, and Samsung S9.
In the past, an Israeli-based spyware vendor called NSO was able to use similar exploits to take full control of Android phones, to not only access personal data such as the content of messages but even to transform the phone into a bugging device. However, sources indicate that the NSO Group has denied any involvement with the exploit.
In response to the bug, an Android team spokesperson has confirmed that it was a critical issue. He further added that a patch is now available on the Android Common Kernel and affected Android partners have been informed. He also mentioned that Pixel 1 and 2 devices will soon get updates for this vulnerability as part of the October update. Finally, he also mentioned that Pixel 3 and 3A devices are not affected by this issue.