Google’s Project Zero security team has discovered a new zero-day exploit in Android which is already being used in the wild.
The vulnerability was found in the kernel of the Android operating system and can be utilized by an attacker to gain root access to a device.
Oddly enough, the vulnerability was patched back in December of 2017 in Android kernel versions 3.18, 4.14, 4.4 and 4.9, though newer versions of Android were found to be vulnerable.
According to Google’s researchers, the vulnerability impacts the Pixel 2, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, LG phones running Oreo and the Samsung S7, S8 and S9 running Android version 8 or higher.
However, since the “exploit requires little or no per-device customization”, this means that it may impact even more Android smartphones but those listed above have been tested and confirmed to be vulnerable to the zero-day by Google.
While Google’s Project Zero team first discovered the vulnerability, the company’s Threat Analysis Group (TAG) confirmed that it had been used in real-world attacks. Both of these teams were also responsible for discovering a recent batch of zero-day vulnerabilities in Apple’s iPhones.
Details regarding who is behind the Android zero-day are currently limited but Google’s TAG believes that the Israel-based company NSO Group, that is known for selling exploits and surveillance tools, may be responsible.
However, when ZDNet reached out to the group they denied any involvement, saying:
“NSO did not sell and will never sell exploits or vulnerabilities. This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”
There is a silver lining though as this new Android vulnerability is not as dangerous as past zero-days. While the vulnerability is rated as high severity by Google it still requires the installation of a malicious application in order to be exploited.
Google has notified its Android partners and a patch is now available on the Android Common Kernel, so expect affected device manufacturers to start rolling out updates soon.