If you own an older Samsung, or Pixel device, there’s a good chance that your device is vulnerable to a day-zero vulnerability that is being exploited by hackers. Google has announced that the system bug affects specific devices running Android 8.x or higher, including Google’s own Pixel 1 and Pixel 2 smartphones, along with Samsung’s Galaxy S7, 8 and 9 devices, leaving more than 100 million Android users vulnerable to an attack. What’s most puzzling is that this exact bug was discovered and patched back in December of 2017, but was somehow excluded from future software builds for a select list of devices.
The silver lining is that the vulnerability isn’t as severe as previous zero-day vulnerabilities which have been discovered over the years. The vulnerability does not allow for RCE (remote code execution), meaning that malicious applications must be installed in order to take advantage of it. There have been reports that Israel’s NSO Group has been taking advantage of this vulnerability in the past. “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” a spokesperson for the Android Open Source Project said.
The Android vulnerability was discovered by Google’s Project Zero team and was disclosed within 7 days, following the team’s own disclosure guidelines. The manufacturers of the affected devices have all been notified already and should be able to address the vulnerability with a patch during their next security update. Google plans to fix the issue with its October security patch for the Pixel 1 and Pixel 2, but we’ll have to wait to see how long it will take Samsung and the other manufacturers to address the vulnerability.
Affected Android devices
- Pixel 1
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7, S8, S9
Source: Android Project Zero via Engadget