loading...
Cover image for Attackers exploit 0day vulnerability that gives full control of Android phones

Attackers exploit 0day vulnerability that gives full control of Android phones

exadra37 profile image Paulo Renato ・2 min read

In this article we can read about a zero day exploit with high severity impact, affecting at least 18 different Android phones, including Pixel and Samsung models.

TLDR

Article main points:

“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” Tim Willis, another Project Zero member, wrote, citing Android team members. “Any other vectors, such as via web browser, require chaining with an additional exploit.”

Stone said that information she received from Google’s Threat Analysis Group indicated the exploit was “allegedly being used or sold by the NSO Group,” a developer of exploits it sells to various government entities. Israel-based NSO gained widespread attention with the discoveries in 2016 and 2017 of an advanced piece of mobile spyware it developed called Pegasus. It jailbreaks or roots both iOS and Android phones so it can trawl through private messages, activate the microphone and camera, and collect all kinds of other sensitive information.

The use after free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren’t explained in the post, the patches never made their way into Android security updates. That would explain why earlier Pixel models are vulnerable and later ones are not. The flaw is now tracked as CVE-2019-2215.

Don't panic

Quoting the again the article:

While the vulnerability reported on Thursday is serious, vulnerable Android users shouldn’t panic. The chances of being exploited by attacks as expensive and targeted as the one described by Project Zero are extremely slim. Just the same, it may make sense to hold off installing non-essential apps and to use a non-Chrome browser until after the patch is installed.

Let's Discuss

If you are using a Google phone you will get a quick security update, but other manufacturers will take much more time.

Do you ever take in consideration how much time it will take to receive security updates on the phone you are about to buy?

Posted on by:

exadra37 profile

Paulo Renato

@exadra37

I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io. Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.

Discussion

markdown guide
 

There are a lot of requirements to be met for this exploit to be in action so I don't think it's a threat, but actually a fix would be nice.

Plus it's a kernel issue, not Android issue.

 

There are a lot of requirements to be met for this exploit to be in action so I don't think it's a threat,

Well it's a threat, but one that's is not easy to achieve, just like the article says and I quote under the section Don't panic.

but actually a fix would be nice.

I am on Samsung, thus I need to wait some time for the security update to fix it. This is not the first time I regret to have choose Samsung over Google phone. Security updates arrive to Google phone first ;)

Plus it's a kernel issue, not Android issue.

Once his only happening in Android phones, its an issue for all Android users, thus an Android issue.