Google’s Project Zero research team has indications that exploits for an as-yet unfixed vulnerability in Android are being actively exploited. The exploits work on at least eighteen different Android devices, which can be fully taken over.
This is a privilege escalation vulnerability labeled CVE-2019-2215 that allows full takeover of certain Android devices. Google considers the vulnerability to be very serious and for exploitation only the installation of a malicious app is required. Ars Technica has additional information.
Infection via websites is only possible in combination with another exploit, which then has to target Chrome’s renderer process. Not every Android device is prone to abuse. The origins lie in a use after free vulnerability that was patched in Linux kernel 4.14 in early 2018. In the Android kernels 3.18, 4.4, and 4.9 the vulnerability was subsequently also fixed, but the patches have not become part of the Android security updates for unknown reasons.
As a result, the Pixel 1 and 2 are vulnerable, for example, but the Pixel 3 and 3a are not. Google’s Project Zero states that at least the Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, LG smartphones with Android Oreo and the Samsung S7, S8 and S9 are prone to abuse. That list is not exhaustive.
The Project Zero team has received evidence from Google’s Threat Analysis Group that the NSO Group provides exploits that exploit the vulnerability. NSO is an Israeli company that focuses on the development of security technology. The company has been discredited in the past due to the development of Pegasus. This is malware discovered in 2016 that exploited a zero-day vulnerability in iOS to drain iPhones. According to Citizen Lab, Pegasus was used against human rights activists, among other things. An Android variant was also found in 2017.
Google does not yet have a sample of the newly discovered exploit, which makes it unclear how NSO uses it. Google plugs the vulnerability in its October Android security update, which is likely to be released sometime in the coming days. Project Zero is already making its existence known because of its exposure policy around zero-day vulnerabilities. Seven days after the notification to in this case the Android team, the security team proceeds to publication.