Ukuba sengozini okulungisiwe kuzinguqulo zangaphambilini ku-Android selokhu kuqale unyaka odlule, uvukile futhi, ngoba muva nje se uthole ukuthi abahlaseli basebenzisa kanzima ukuba sengozini kwezinsuku ezingama-zero ku-Android lokho ikuvumela ukuba ulawule ngokuphelele amamodeli wefoni ahlukahlukene, kufaka phakathi amamodeli ama-4 weGoogle Pixel, iHuawei, amadivayisi weXiaomi, iSamsung nezinye, kusho ilungu leGoogle Zero Project Research Group.
Ukuba sengozini kukalwe "njengobunzima obukhulu" ku-Android Okubi nakakhulu, ukuxhaphaza kudinga ukwenza ngokwezifiso okuncane ukuze usiphule ngokuphelele izingcingo ezisengozini. Umlayezo ovela eqenjini locwaningo lakwaGoogle uphakamise ukuthi le bug, etholwe ngesonto eledlule, yaxhashazwa kakhulu, kungaba yiqembu le-NSO noma elinye lamakhasimende ayo.
Kodwa-ke, abameleli beqembu benqaba noma yimuphi umthwalo ngokuxhashazwa kwephutha. I-NSO Group ingumqambi wokuxhaphaza nokuhlola ama-spyware othengisela izinhlangano ezahlukahlukene zikahulumeni.
Kwi-imeyili, abamele iqembu le-NSO babhala ngemuva kokudalulwa kokuxhashazwa:
“I-NSO ayikathengisi futhi ayisoze yathengisa ukuxhashazwa noma ubungozi. Le feat ayihlangene neze ne-NSO; umsebenzi wethu ugxile ekwakhiweni kwemikhiqizo eyenzelwe ukusiza izinhlaka zezobunhloli nezomthetho ukuthi zisindise izimpilo ”.
Leli qembu, elizinze kwa-Israyeli futhi elikhethekile ngosizo lobuchwepheshe kohulumeni ngobunhloli bamatheminali eselula kanye nokwakhiwa «kwezikhali zedijithali», kuboniswe kanjalo ngokutholakala ku-2016 nango-2017, ngabaphenyi beCitizen Lab of the University kusuka eToronto, isoftware esezingeni eliphakeme yesoftware ayenza wayibiza ngokuthi yiPegasus.
I-Google ibuye ikhuthele futhi ifike ngesikhathi ngezimpawu zokuphepha (Muva nje ngenyanga edlule, iGoogle ikhiphe amabala okuphepha amafoni weGoogle Pixel namanye amafoni amaningi.) Kepha konke lokhu akuzange kuvimbele ukuba sengozini okusha ku-Android.
Lokhu kuxhaphaza ukukhuphuka kwelungelo le-kernel usebenzisa ukuba sengozini, okuyi ivumela umhlaseli ukuthi ayekethise ngokuphelele idivayisi esengozini futhi ayiqande. Ngoba ukuxhaphaza kungafinyelelwa futhi kusuka ku-sandbox ye-Chrome, futhi kungalethwa ngewebhu uma kuhlanganiswe nokuxhaphaza okubhekise ukuba sengozini kwekhodi ye-Chrome esetshenziselwa ukunikeza okuqukethwe.
Lokhu kuba sengozini okukholelwa ukuthi kulungiswe ekuqaleni kuka-2018 ku-Linux Kernel LTS version 4.14 kepha akukho ukulandelwa kweCVE. Ukulungiswa kufakiwe kuzinguqulo ze-Android kernel 3.18, 4.4, naku-4.9. Kodwa-ke, isixazululo asifinyelelanga kuzibuyekezo zokuphepha ze-Android ezalandela, sishiya amadivayisi amaningi esengozini yaleli phutha manje elilandelwa njenge-CVE-2019-2215.
UMaddie Stone, oyilungu leProject Zero, uthe emyalezweni ukuthi "isinambuzane siyingozi esandisa amalungelo endawo futhi esivumela ukuvumelana okuphelele kwensiza esengozini."
Ngisho, umhlaseli angafaka uhlelo lokusebenza olunonya kumadivayisi athintekile futhi afinyelele empandeni ngaphandle kolwazi lomsebenzisi, ukuze ukwazi ukulawula ngokugcwele idivayisi. Futhi njengoba ingahlanganiswa nokunye ukuxhaphaza kusiphequluli se-Chrome, umhlaseli angaphinde ahambise uhlelo lokusebenza olunobungozi ngesiphequluli sewebhu, aqede isidingo sokufinyelela ngokomzimba kudivayisi.
Uhlu "olungapheli" lwamadivayisi iqembu locwaningo lwe-Google olushicilele njengamadivayisi athintekile yile:
- I-Pixel 1
- I-Pixel 1 XL
- I-Pixel 2
- I-Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Qaphela i-5
- I-Xiaomi A1
- Na A3
- I-Moto Z3
- Izingcingo ze-LG
- Samsung S7
- Samsung S8
- Samsung S9
Ithimba locwaningo leProject Zero labelane ngobufakazi bendawo bokuxhashazwa komqondo ukukhombisa ukuthi le bug ingasetshenziswa kanjani ukuthola ukufunda / ukubhala kwe-kernel ngokungafanele ngesikhathi sokubulawa kwasendaweni.
Kodwa-ke, elinye ilungu leqembu leZero Project yakwaGoogle lithe ukuba sengozini kuzovele kulungiswe ekuvuseleleni ukuphepha kwe-Android kwe-Android, okungenzeka ukuthi kuzotholakala ezinsukwini ezimbalwa ezizayo.