A vulnerability that has been fixed in previous versions on Android since the beginning of last year, has resurfaced, because recently se discovered that attackers were actively exploiting a zero-day vulnerability on Android that allows you to take full control of various phone models, including 4 models Google Pixel, Huawei, Xiaomi devices, Samsung and others, said a member of the Google Zero Project Research Group.
Vulnerability has been rated as "high severity" on Android What's worse, the exploit requires little to no customization to fully root vulnerable phones. A message from Google's research group suggested that the bug, discovered last week, was actively exploited, either by the NSO Group or by one of its clients.
However, the group's representatives declined any responsibility by the exploitation of the error. NSO Group is an exploit and spyware developer that sells to various government entities.
In an email, representatives of the NSO Group wrote after the disclosure of the exploit:
“NSO has not sold and will never sell exploits or vulnerabilities. This feat has nothing to do with NSO; our work focuses on the development of products designed to help intelligence agencies and law enforcement agencies save lives ”.
The group, based in Israel and specialized in technical assistance to governments for the espionage of mobile terminals and the development of «digital weapons», has been illustrated as such with the discovery in 2016 and 2017, by researchers from the Citizen Lab of the University from Toronto, an advanced mobile spy software that he developed and dubbed Pegasus.
Google has also been diligent and timely with security patches (As recently as last month, Google released security patches for Google Pixel phones and many other phones.) But all this did not prevent new vulnerabilities in Android.
This exploit is a kernel privilege escalation using a vulnerability, which allows the attacker to fully compromise a vulnerable device and root it. Because the exploit can also be accessed from the Chrome sandbox, it can also be delivered via the web once it is combined with an exploit that targets a vulnerability in Chrome's code that is used to render content.
This vulnerability believed to be fixed early 2018 in Linux Kernel LTS version 4.14 but no CVE tracking. The fix has been incorporated into Android kernel versions 3.18, 4.4, and 4.9. However, the solution did not make it to the Android security updates that followed, leaving several devices vulnerable to this flaw which is now tracked as CVE-2019-2215.
Maddie Stone, a member of Project Zero, said in a message that "the bug is a vulnerability that increases local privileges and allows a complete compromise of a vulnerable device."
That is to say, an attacker can install a malicious application on the affected devices and reach the root without the user's knowledge, so you can have full control of the device. And since it can be combined with another exploit in the Chrome browser, the attacker can also deliver the malicious application through the web browser, eliminating the need for physical access to the device.
The "non-exhaustive" list of devices that the Google research group has published as affected devices is:
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Note 5 Redmire
- Xiaomi A1
- Oppo A3
- Moto Z3
- LG Phones
- Samsung S7
- Samsung S8
- Samsung S9
The Project Zero research team shared a local proof of concept exploit to demonstrate how this bug can be used to get arbitrary kernel read / write during local execution.
However, another member of Google's Zero Project team said that the vulnerability will already be fixed in the October Android security update, which will likely be available in the next few days.