Android Zero-day Vulnerability

On October 4, 2019 new android zero-day vulnerability has been released. It has been exploited by the Israeli surveillance vendor NSO Group which is famous for selling zero-day exploits. The vulnerability was discovered by Project Zero researcher Maddie Stone. The flaw was found in Android Kernel versions 3.18, 4.14, 4.4, and 4.9 that were fixed in December 2017 without a CVE being assigned. The patches were not made to the later models in result, smartphones running Android 8.x, 9.x and the preview version of 10 are found vulnerable. With this vulnerability, the unpatched devices can be easily compromised without the need for user interaction. The zero-day is a use-after-free vulnerability in the Android kernel's binder driver that can allow a local privileged attacker or an app to escalate their privileges to gain root access to a vulnerable device and potentially take full remote control of the device.

The flaw is now identified as CVE-2019-2215 and described as a:

Kernel privilege escalation using a use-after-free vulnerability, accessible from inside the Chrome sandbox.

"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit," the Android security team said in a statement.

"The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox," Stone says in the Chromium blog.

A majority of Android devices manufactured are sold by vendors with the unpatched kernel are still vulnerable to this vulnerability even after having the latest Android updates, including below-listed popular smartphone models:

  • Pixel 1
  • Pixel 1 XL
  • Pixel 2
  • Pixel 2 XL
  • Huawei P20
  • Xiaomi Redmi 5A
  • Xiaomi Redmi Note 5
  • Xiaomi A1
  • Oppo A3
  • Moto Z3
  • Oreo LG phones
  • Samsung S7
  • Samsung S8
  • Samsung S9

In addition, Google has confirmed that the Pixel 3 and Pixel 3a series smartphones are immune from the vulnerability.

Google further added:

“We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7-day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.”

So, Google to fix this vulnerability would be soon issuing a Security Patch. Further, to avoid from being a victim of this vulnerability, avoid downloading and installing apps from third-party app stores and any unnecessary apps, even from the Google Play Store.