Google has identified another new zero-day exploit in Android devices (Apple users can skip to a different article!). This is the last in a series of Android exploits called CVE-2019-2215. This is not a warning by Google, this exploit is active in the real World and so Google is making this news public after only 7 days instead of the usual 90 days.
The devices who are vulnerable are Samsung, Huwaei, Pixel, Ziaomi but these are the only devices that Google confirm and it is likely that other handsets are included in this list because Google say the exploit requires little or no pre-device customization.
It is interesting that only the newer Android versions (from Android 8) are vulnerable because of the patching of older versions when the vulnerability was identified in 2017 – it seems that Google are a bit careless with their work in this example.
The placement of the vulnerability in the Android kernel’s binder driver gives the attacker root access to the phone. This can give the attacker full control and access data on the phone or do other things such as track the location of the device.
Google has classified the vulnerability as a high risk but not a severe risk vulnerability. This decision is made because even when the exploit can work on many different handsets this vulnerability cannot be operated in isolation but requires interaction with the victim to be successful. For example the vulnerability is accessible inside the Chrome2 sandbox so if the exploit is to become active it needs to be delivered through a web browser combined with a separate Chrome renderer exploit. The other possibility to activate the vulnerability is that the device owner downloads a malicious app accidentally. This means this type of exploit has a low risk of being delivered successfully but is very damaging for a device being compromised. For this reasons it is likely to be used for targeted attacks against individual victims.
At this time the group responsible for this exploit is not known. In similar examples the israel-based NSO group has been blamed and some people claim that the group has exploited the vulnerability in this case but it denies any links.
A patch is now available so updates should be released soon for each device and of course the Google Pixel will probably be the first to be fixed! Until the new updates are released it is probably not a good idea to download apps that looks suspicious or any apps outside the Google Play store.