“A patch is available for the vulnerability and will most likely be included in the October Android security update”
Google recently announced the discovery of a zero-day vulnerability on Android. The Project Zero team from Google was behind the discovery of the bug and claims that the NSO group is behind this. The vulnerability, or exploit, allows the attacker to install malicious apps on the smartphone and take complete control of the device. This is a major threat, especially at a time when Google has been focusing on making Android more secure with monthly patches, Project Mainline, and other initiatives. The exploit currently affects certain smartphones from Google, Xiaomi, Samsung, Huawei, OPPO, LG, and Motorola.
Although Google stated that the exploit was actively used by the NSO Group, high-level representatives of this group denied all allegations. The vulnerability will allow the attacker to control the device and gain root privileges even if the device isn’t rooted. The device access is possible via a malicious app or even through the Chrome browser. According to Google, the exploit can be used with the Chrome sandbox, which means that it can delivered to the affected device through the web.
All of this can be achieved with complete discretion and the user will never know about it. As mentioned above, the attacker will not need any physical contact with the device. Google has rated this vulnerability as ‘High Severity’ on the Android tracker. The folks over at Project Zero have also posted a proof-of-concept for the vulnerability and how it can be used in real-life. Apparently, the exploit was patched in December of 2017, but it was not included in the Android security patches for certain devices.
The list of devices that are currently vulnerable to attach include; Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Redmi Note 5, Mi A1, OPPO A3, Moto Z3, Samsung Galaxy S7, Galaxy S8, Galaxy S9, and all LG smartphones running Android Oreo. Google has already patched the exploit and it will be available with the October Android security patch, which should be released for Pixel devices in a few days. It has also made a patch for Android partners such as Xiaomi, Samsung, and others, but we are not sure when the OEMs will deliver the update.