Critical Android vulnerability affects Samsung, Huawei, Xiaomi smartphones
What's the story
In a major incident, Google's security researchers have flagged critical unpatched zero-day vulnerability, in the company's own Android operating system. The issue, they say, plagues phones from leading smartphone companies - like Samsung, Huawei, and Xiaomi - and is being exploited in the wild by threat actors. Even select Pixels have been affected. Here's all you need to know about it.
Vulnerability
Zero-day flaw allowing root access
First flagged by Google's Project Zero team, the vulnerability, titled CVE-2019-2215, exists in Android's Kernel code. It's been described as an issue of 'high severity', one that allows attackers to gain root access to a device. However, the weird part is, the researchers claim that the issue only affects phones running Android 8.x or newer as the older versions were fixed in 2017 itself.
Affected models
A number of phones compromised by the flaw
After discovering the bug, Google's team found that it affects a number of devices, including Samsung's Galaxy S7, S8, S9, Pixel 1, 2, Huawei P20, Xiaomi Redmi 5A, Note 5, A1, OPPO A3, and Moto Z3. And, what's even more worrying is the fact that these are just the devices that were tested with the exploit. The actual list could be much longer!
Quote
Why more handsets could be affected?
The researchers have said that "exploit [of the vulnerability] requires little or no per-device customization," which means that it could be leveraged to compromise a large number of phones running Android 8.0 or newer versions.
Exploit
Also, they say that the bug is being exploited
Adding more to the concern, Google's Threat Analysis Group (TAG) notes that this vulnerability is also being exploited in the wild. They have not shared exact details of the exploit but indicated it may have been used by Israel's NSO Group for real-world attacks. The group is known to sell exploits and surveillance tools, but in this case, it has explicitly denied any involvement
Quote
Here's what NSO Group said on the matter
"NSO did not sell and will never sell exploits or vulnerabilities," an NSO Group spokesperson told ZDNet. "This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives."
Risk
So, do you need to worry?
The issue makes phones with newer Android vulnerable but do note that Google has already released a patch on the Android Common Kernel and notified the affected partners to issue a fix. It should be available with the October security update, but until then we recommend keeping your phone to yourself as this bug can only be exploited through physical access to a phone.
Quote
Malicious app has to be installed for exploitation
"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation," a spokesperson for the Android Open Source Project said. "Any other vectors, such as via web browser, require chaining with an additional exploit."