Critical Android vulnerability affects Samsung, Huawei, Xiaomi smartphones
In a major incident, Google's security researchers have flagged critical unpatched zero-day vulnerability, in the company's own Android operating system. The issue, they say, plagues phones from leading smartphone companies - like Samsung, Huawei, and Xiaomi - and is being exploited in the wild by threat actors. Even select Pixels have been affected. Here's all you need to know about it.
First flagged by Google's Project Zero team, the vulnerability, titled CVE-2019-2215, exists in Android's Kernel code. It's been described as an issue of 'high severity', one that allows attackers to gain root access to a device. However, the weird part is, the researchers claim that the issue only affects phones running Android 8.x or newer as the older versions were fixed in 2017 itself.
After discovering the bug, Google's team found that it affects a number of devices, including Samsung's Galaxy S7, S8, S9, Pixel 1, 2, Huawei P20, Xiaomi Redmi 5A, Note 5, A1, OPPO A3, and Moto Z3. And, what's even more worrying is the fact that these are just the devices that were tested with the exploit. The actual list could be much longer!
The researchers have said that "exploit [of the vulnerability] requires little or no per-device customization," which means that it could be leveraged to compromise a large number of phones running Android 8.0 or newer versions.
Adding more to the concern, Google's Threat Analysis Group (TAG) notes that this vulnerability is also being exploited in the wild. They have not shared exact details of the exploit but indicated it may have been used by Israel's NSO Group for real-world attacks. The group is known to sell exploits and surveillance tools, but in this case, it has explicitly denied any involvement
"NSO did not sell and will never sell exploits or vulnerabilities," an NSO Group spokesperson told ZDNet. "This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives."
The issue makes phones with newer Android vulnerable but do note that Google has already released a patch on the Android Common Kernel and notified the affected partners to issue a fix. It should be available with the October security update, but until then we recommend keeping your phone to yourself as this bug can only be exploited through physical access to a phone.
"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation," a spokesperson for the Android Open Source Project said. "Any other vectors, such as via web browser, require chaining with an additional exploit."
