Google’s team of security researchers responsible for reporting zero-day vulnerabilities, known as Project Zero, recently discovered an unpatched exploit in Android that’s being used in real-life attacks. This vulnerability affects smartphones from popular Original Equipment Manufacturers (OEM) like Samsung, Xiaomi, and Huawei. Even Google’s older Pixel phones are impacted as well.
The vulnerability is part of the Android system kernel and can allow an attacker to gain root access on a phone. That means they could access data, modify system apps, track your location, and more. Strangely, Google identified this vulnerability in late 2017 and added a patch to the Android code. However, the patch was not carried over into newer versions of Android (8.0 and later) on some phones.
Here’s the complete list of devices affected by the zero-day vulnerability, which is flagged as high priority by Google:
- Pixel 1/ Pixel 1 XL
- Pixel 2/ Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Android Oreo LG phones
- Samsung Galaxy S7
- Samsung Galaxy S8
- Samsung Galaxy S9
Fixing it
The Project Zero team mentions that the list of phones affected is not exhaustive and a number of devices have already been exploited using this bug. Google will release the October security patch, which should arrive next week, with a fix for this vulnerability. Other OEMs listed above are expected to follow suit in the coming weeks. In the meantime, be careful what you install from shady corners of the internet.
Who is behind it?
Google says Israeli security firm NSO Group has been actively using the exploit, a claim the company denies. NSO may simply be denying that it’s engaged in any hacks itself, and that may be true – it could simply be helping others to do it. NSO Group has long been under fire for making mobile phone hacking tools, which it sells to oppressive governments that use them to spy on activists and protesters.