The team of security researchers in Google, responsible for reporting zero-day vulnerabilities, popularly known as Project Zero, recently discovered a serious security flaw on some Android devices and oddly, the issue was supposed to be patched back in December 2017. The smartphones in questions are from popular OEMs like Samsung, Xiaomi, Huawei including Google’s older Pixel phones.
This security flaw resides in the Android kernel source and was first discovered back in 2017, which is also when it was patched. This included the 4.14 LTS kernel, as well as AOSP Android 3.18, 4.4, and 4.9 kernels, but the vulnerability again popped up in newer versions of Android.
Smartphones running Android 8.0 or later could be affected by the exploit, which Project Zero says doesn’t require per-device customization. This means the hackers can attack a ton of different devices using the same malicious technique. They don’t require in-person access to the device and could gain root access simply by making users sideload a malicious app.
Here’s the complete list of devices affected by the zero-day vulnerability, which is flagged as high priority by Google –
- Pixel 1/ Pixel 1 XL
- Pixel 2/ Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Android Oreo LG phones
- Samsung Galaxy S7
- Samsung Galaxy S8
- Samsung Galaxy S9
Google’s Project Zero team may have discovered the vulnerability, but it’s the Threat Analysis Group (TAG) that confirmed its use in real-life attacks on affected devices. It believes the NSO Group, a popular Israeli-based company known to sell exploits and surveillance tools, is behind the zero-day attacks. However, NSO has denied Google’s accusations.
The Project Zero team states that the aforementioned isn’t an exhaustive list and a number of devices have already been exploited using this bug. Google will release the October security patch, which should arrive next week, with a fix for this vulnerability. Other OEMs listed above are expected to follow suit in the coming weeks.