Google’s top security engineers have found an Android exploit that allows hackers take over users mobile phones. However, users could avoid this issue by being aware of what they’re downloading on their devices.
Google’s Project Zero the cyber security team that is focused on finding security bugs, discovered this vulnerability in late September and disclosed it on Thursday. The exploit is Android’s operating system kernel code, and if abused, hackers could get root access to a victim’s phone. Project Zero said they’ve already seen evidence of the exploit being used in the real world before it can be patched, making it what’s known as a zero-day vulnerability.
The security team gave a comprehensive list of mobile phone models running Android 8 or later could be affected by this venerable exploit:
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7, S8, S9
This venerable exploit is listed as “High severity” and might affect even more phones than listed. Google is working to address the problem.
“Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming day,” a Google spokesperson said in an email Friday. “Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.”
This vulnerability, however, requires actions from the users before a hacker can takeover a phone such as downloading malicious software. It can also be combined with a second exploit that targets the Chrome browser for a web-based attack. This means phone owners should stay aware of what they’re downloading and the websites they visit.
According to Google’s Project Zero team, the Israeli-based cyberintelligence firm NSO Group is currently using or selling this exploit, however the firm denies that claim.
The Bluetooth exploit works by allowing attackers to disguise themselves as a trusted application, requesting permissions that allow one respective Bluetooth-enabled device to share data with another device, such as a headset or car’s “infotainment” system. For the attack to run successfully, Bluetooth must be enabled on the target device and victims must approve the attackers’ request for user-end privileges. Ultimately these actions gives hackers access to data on the victim’s phone.
The second major Bluetooth exploit allows researchers to take advantage of an authentication bypass vulnerability, dubbed “BlueRepli.” Would-be attackers can bypass authentication by imitating a device that has previously been connected with a target. Victims do not need to give permission to a device for the exploit to work.
The NSA has warned that users that are seeking to avoid exposing sensitive location data from their respective mobile phones should be cautious that mobile devices calculate location using WiFi and./ or Bluetooth metrics, even when GPS or location services are turned off.