Researchers from Google project zero uncovered a critical zero-day vulnerability that affected at least 18 Android models including Samsung, Moto, Huawei, Pixel, Xiaomi and more.
Some of the depth pieces of evidence show that the vulnerability is being exploited in wide and gives complete access to the Vulnerable Android devices.
An Android zero-day exploit that discovered in wide believed to be attributed to the Isreal based NSO group employed exploit developers or their customers who bought it from them and used it to compromise the Android users.
But we news media later reached the NSO groups and asked for comment, in which their spoke person denied that they did not sell, and will never sell exploits or vulnerabilities, also they give followings statement.
“This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.” “
The vulnerability has already patched in Android kernel versions 3.18, 4.14, 4.4, and 4.9 without CVE but it becomes vulnerable to new Android versions.
Based on the source code review, Google confirmed that the following devices are vulnerable for this Android 0-day.
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7
- Samsung S8
- Samsung S9
There are two possible ways identified by Google. first one will exploit the device by installing a malicious app on the targeted device, in another way, the attacker performs a kernel privilege escalation using a use-after-free vulnerability, accessible from inside the Chrome sandbox.
According to Google Project Zero researcher Maddie Stone “The vulnerability is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain, leading to us suspecting Binder as the vulnerable component “
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device.” and it’s not a complete remotely exploitable bug and the attacker need to meet with certain condition in order to take control over the vulnerable device that listed above.
Also, he confirmed that If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox. via a blog post.
The Zero-day Vulnerability categorized under “High” severity and the attacker needs to install a malicious app to exploit the bug, in another case if they tried via browser, attackers require chaining with an additional exploit in order the take the vulnerable Android device.
Due to vulnerability severity level and is being actively exploiting in wide, Google said “we are now de-restricting this bug 7 days after reporting to Android team privately”
Google promise that the patch will be available in October security update for Pixel 1 and 2 devices, and Pixel 3 and 3a is not vulnerable.