There is a Zero Day vulnerability in the Android mobile operating system Google thought was patched two years ago.
The issue can give attackers full control of at least 18 different phone models, researchers said. Added on top of that, the vulnerability is undergoing active exploitation, said a member of Google’s Project Zero research group.
The vulnerability can be exploited when a target installs an untrusted app or for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” said Project Zero member Maddie Stone in a post. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
Vulnerable phones include: Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung S7, Samsung S8, and Samsung S9.
Google officials said:
“We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.”
A member of Google’s Android team said the vulnerability would be patched in the October Android security update, which is likely to become available in the next few days. The schedule for other devices to be patched wasn’t immediately clear. Pixel 3 and Pixel 3a devices aren’t affected.
The use-after-free vulnerability originally appeared in the Linux kernel and was patched in December 2017 in version 4.14. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. However, for some reason, the patches never made their way into Android security updates. The flaw is now tracked as CVE-2019-2215.