A zero-day flaw in the Android operating system used by some of the most popular mobile phones on the market is being exploited in real-world attacks. The zero-day flaw is being exploited by the Israeli surveillance firm NSO Group, which is best known for selling zero-day exploits in operating systems to governments for the purpose of espionage.
The flaw is present in the Android Kernel binder driver and is a use-after-free vulnerability that allows a local privileged attacker or an app to escalate privileges and gain root access, allowing the attacker to take full control of a vulnerable device.
The flaw was identified by Maddie Stone of Project Zero, who released a proof-of-concept exploit for the flaw after it was reported to Goggle’s Android security team. The flaw has been assigned the CVE code CVE-2019-2215.
The flaw was previously patched in December 2017 in the 4.14 LTS Linux kernel, but was not incorporated into every AOSP Android kernel version, only 3.18, 4.4, and 4.9. Several devices running the latest Android versions are still vulnerable to attack.
The flaw can be exploited remotely via the web through the Chrome sandbox if combined with a Chrome rendering flaw. Alternatively, the flaw could be exploited if the user is convinced to download a malicious app.
The flaw was publicly disclosed 7 days after notifying Google as the flaw is being actively exploited in the wild. Google will be issuing a patch for the flaw this October in its Android Security Bulletin and the patch is available on the Android Common Kernel. OEMs have been notified, although it may take some time for the patches to be rolled out.
The vulnerability has been confirmed as affecting the following Android devices:
- Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A, Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7, Samsung S8, Samsung S9
While the flaw is being exploited in real world attacks, those attacks are highly targeted. Risk can be reduced by avoiding downloading apps from unofficial app stores. Since malicious apps can find their way into the Google Play Store, app downloads should be limited as far as possible until the flaw has been patched.