Specialists of the Google Project Zero team released information (as well as a PoC code) about the 0-day vulnerability in the Android operating system, which is already actively used by attackers in real attacks. The 0-day vulnerability in Android threatens many popular smartphones.It is noteworthy that this vulnerability was fixed in versions of Android 3.18, 4.14, 4.4 and 4.9 in December 2017, however, it reappeared in later OS releases.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox”, — writes maddiestone researcher from Google Project Zero.
The problem that received the CVE-2019-2215 identifier is contained in the Android kernel code and can be used to completely compromise the device. According to the researchers, the vulnerability affects gadgets based on versions of Android 8.x and higher:
- Pixel 2 based on Android 9 and Android 10 preview
- Huawei P20;
- Xiaomi Redmi 5A;
- Xiaomi Redmi Note 5;
- Xiaomi A1;
- Oppo A3;
- Moto Z3;
- Oreo LG;
- Samsung S7, S8, S9.
According to the Google Threat Analysis Group (TAG) team, the Israeli company NSO Group, which has a very controversial reputation, developed the exploit used in the attacks.
Previously, the company has been repeatedly accused of supplying exploits to authoritarian governments harassing human rights defenders and journalists. In September of this year, the NSO Group promised to follow the principles of the UN Universal Declaration of Human Rights and take measures that impede the use of the company’s technologies with malicious intent.
“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update”, — writes maddiestone.
User Review( votes)