0-day vulnerability in Android threatens smartphones Pixel, Samsung, Huawei and Xiaomi

Specialists of the Google Project Zero team released information (as well as a PoC code) about the 0-day vulnerability in the Android operating system, which is already actively used by attackers in real attacks. The 0-day vulnerability in Android threatens many popular smartphones.

It is noteworthy that this vulnerability was fixed in versions of Android 3.18, 4.14, 4.4 and 4.9 in December 2017, however, it reappeared in later OS releases.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox”, — writes maddiestone researcher from Google Project Zero.

The problem that received the CVE-2019-2215 identifier is contained in the Android kernel code and can be used to completely compromise the device. According to the researchers, the vulnerability affects gadgets based on versions of Android 8.x and higher:

  1. Pixel 2 based on Android 9 and Android 10 preview
  2. Huawei P20;
  3. Xiaomi Redmi 5A;
  4. Xiaomi Redmi Note 5;
  5. Xiaomi A1;
  6. Oppo A3;
  7. Moto Z3;
  8. Oreo LG;
  9. Samsung S7, S8, S9.

According to the Google Threat Analysis Group (TAG) team, the Israeli company NSO Group, which has a very controversial reputation, developed the exploit used in the attacks.

Read also: Hearing Aid Maker Demant Loses $ 95 Million due to Ransomware Attack

Previously, the company has been repeatedly accused of supplying exploits to authoritarian governments harassing human rights defenders and journalists. In September of this year, the NSO Group promised to follow the principles of the UN Universal Declaration of Human Rights and take measures that impede the use of the company’s technologies with malicious intent.

“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update”, — writes maddiestone.

The good news is that CVE-2019-2215 cannot be used to remotely execute code without user intervention; its operation requires a number of conditions. In particular, an attacker will first need to install a malicious application on the target device, and for exploitation via a web browser, additional exploits will be required.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button