Evidence that the vulnerability is actively being exploited was reported by Google’s Project Zero team…
Arstechnica notes that there are two different ways attackers can use the exploit.
There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
The list of Android devices known to be vulnerable to it includes the following, but this is described as ‘non-exhaustive,’ suggesting that others will come to light when tested.
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7
- Samsung S8
- Samsung S9
NSO has in the past been able to use similar vulnerabilities to take full control of Android phones to not only access personal data, such as the content of messages but even turn the phone into a bugging device.
Stone said that information she received from Google’s Threat Analysis Group indicated the exploit was “allegedly being used or sold by the NSO Group,” a developer of exploits it sells to various government entities. Israel-based NSO gained widespread attention with the discoveries in 2016 and 2017 of an advanced piece of mobile spyware it developed called Pegasus. It jailbreaks or roots both iOS and Android phones so it can trawl through private messages, activate the microphone and camera, and collect all kinds of other sensitive information.
Project Zero normally gives companies 90 days to fix a vulnerability before disclosing it, but it reduces this to seven days when it has evidence that exploits are already in use in the wild. Google says that it will patch the problem for Pixel 1 and 2 models in the next few days and that the Pixel 3 and 3a are not affected.
If you have one of the affected phones, make sure you install the October Android security update as soon as it is available.