Google today is publicly reporting a new zero-day vulnerability in Android that potentially affects a number of devices. The vulnerability is particularly worrisome because it can allow bad actors to take control of an affected device. Strangely enough, this security flaw has already been patched once, but apparently it still exists within more recent versions of Android.
More specifically, Google explains in its Project Zero bug tracker that this flaw was patched in the 4.14 LTS kernel, AOSP android 3.18 kernel, AOSP android 4.4 kernel, and AOSP android 4.9 kernel back in December 2017. However, based on source code review, Google says that a decent variety of devices running Android 8.x or later still appear to be vulnerable. Check out the list below:
• Pixel 2 with Android 9 and Android 10 preview
• Huawei P20
• Xiaomi Redmi 5A
• Xiaomi Redmi Note 5
• Xiaomi A1
• Oppo A3
• Moto Z3
• Oreo LG phones
• Samsung S7, S8, S9
While the Pixel 2 is on that list, the Project Zero team says that Pixel 3 and 3a devices aren’t affected. There is evidence of this exploit being used in the wild, which led to Google assign it a seven-day disclosure deadline (the bug was first reported to Android on September 26th). Beyond that, Google’s Threat Analysis team has potentially linked this exploit with one used by the NSO group.
Android, for its part, has issued a statement on the vulnerability. “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation,” the vendor statement explains. “Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”
So, a fix for the affected Pixel devices is on the way, though the Project Zero team doesn’t offer any updates on the status of other devices on that list. The encouraging thing is that this exploit requires the installation of some kind of malicious app – or otherwise encountering a chain of exploits through a website – so while this is still listed as “High severity,” it sounds like it could have been worse. We’ll see what happens from here, so stay tuned.