Google is warning of an Android zero-day flaw actively being exploited in the wild, which gives an attacker full control over 18 phone models including its flagship Pixel handset and devices made by Samsung, Huawei and Xiaomi.
Google’s Project Zero warned late Thursday that it suspected the vulnerability was being exploited by the controversial Israeli-based NSO Group Technologies or one of its customers. The NSO Group has been criticized for selling zero-day exploits to “authorized governments”. It’s believed some of those governments have used NSO technology in targeted attacks against human rights activists and journalists.
Project Zero member Maddie Stone wrote in a technical post Thursday that there are indicators that the exploit is “allegedly being used or sold by the NSO Group.”
For its part, the NSO Group has publicly denied having anything to do with the exploit, including selling it.
Stone said the unpatched vulnerability(CVE-2019-2215) can be exploited in several ways. In one scenario, a target is enticed to download a rogue app. The second method of infection includes chaining the bug with an additional vulnerability in code the Chrome browser uses to render content.
“It is a kernel privilege escalation [bug] using a use-after free vulnerability, accessible from inside the Chrome sandbox,” Stone said. “The vulnerability is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain, leading to us suspecting Binder as the vulnerable component.”
A patch for the vulnerability is expected in the next few days as part of Google’s October Android security update.
“Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue,” according to a statement by Google.
According to Google Project Zero, the use-after-free bug was patched in 2018 for versions 3.18, 4.4, and 4.9 of the Android kernel. However, the fix did not make it to Google’s monthly Android security updates.
A list of vulnerable devices include: Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung S7, Samsung S8 and Samsung S9.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.