Google’s top security engineers have found a new Android exploit that allows hackers take over a users mobile phone. However, users could avoid this issue by being aware of what they’re downloading on their devices.
Google’s Project Zero team a team that is focused on finding security bugs, discovered this vulnerability in late September and disclosed it on Thursday. The exploit is Android’s operating system kernel code, and if abused, hackers could get root access to a victim’s phone. Project Zero said they’ve already seen evidence of the exploit being used in the real world before it can be patched, making it what’s known as a zero-day vulnerability.
The security team gave a comprehensive list of mobile phone models running Android 8 or later could be affected by this venerable exploit:
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7, S8, S9
This venerable exploit is listed as “High severity” and might affect even more phones than listed. Google is working to address the problem.
“Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming day,” a Google spokesperson said in an email Friday. “Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.”
This vulnerability, however, requires actions from the users before a hacker can takeover a phone such as downloading malicious software. It can also be combined with a second exploit that targets the Chrome browser for a web-based attack. This means phone owners should stay aware of what they’re downloading and the websites they visit.
According to Google’s Project Zero team, the Israeli-based cyberintelligence firm NSO Group is currently using or selling this exploit, however the firm denies that claim.
“NSO did not sell and will never sell exploits or vulnerabilities,” an NSO Group spokesperson said Friday. “This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”