Researchers at Google’s security group Project Zero have found an active vulnerability in Android that affects several popular devices including the Pixel 2, Huawei P20 Pro, and Xiaomi Redmi Note 5.
A post from the security group suggests it found the bug last week, and attackers were exploiting it at that moment. The post notes the exploit requires no or minimal customization to root a phone that’s exposed to the bug.
The research group has listed some of the devices affected that are running Android version 8.x or later:
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung Galaxy S7, S8, S9
The bug was fixed in earlier versions – 3.18, 4.4, and 4.9 – of Android kernel, but it has resurfaced again.
The attacker can’t use Remote Code Execution (RCE) to exploit the vulnerability. However, if you install an application from an untrusted source, attackers can take advantage of that. Attackers can also take advantage of the bug if they pair it with vulnerabilities in the Chrome browser to render content.
A statement from Android team says it has informed phone makers to issue a patch:
We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.
The researchers speculate the bug is being used by NSO, an Isreal-based group known to sell tools to authorities to exploit iOS and Android.
It’s advisable that you don’t install apps from non-trustworthy sources, and use an alternate browser such as Firefox or Brave till the issue is fixed. We’ll keep you posted on any updates issued by phone makers.