Hackers are using a zero-day vulnerability in Google’s Android operating system to take control, according to security researchers from Google’s Project Zero research group.
In a blog post, Project Zero member Maddie Stone said that there was evidence that this bug is being used in the wild. She said that the bug was "allegedly being used or sold by the NSO Group". The NSO was quick to deny the allegations. A spokesperson told the Verge that "this exploit has nothing to do with NSO".
Stone added that the bug "is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device."
"If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox."
She said that the issue was patched in Dec 2017 in the 4.14 LTS kernel, AOSP Android 3.18 kernel , AOSP Android 4.4 kernel , and AOSP Android 4.9 kernel, "but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review."
According to the posting, the following devices are affected. Researchers said that the list is "non-exhaustive":
Pixel 1 XL
Pixel 2 XL
Xiaomi Redmi 5A
Xiaomi Redmi Note 5
Android Oreo LG phones
Samsung Galaxy S7
Samsung Galaxy S8
Samsung Galaxy S9
Google said that the vulnerability will be patched in Pixel devices in an upcoming update.
"This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation," said Tim Willis, another Project Zero member. "Any other vectors, such as via web browser, require chaining with an additional exploit."
Jonathan Knudsen, senior security strategist at Synopsys, told SC Media UK that the newly announced Project Zero disclosure involving a vulnerability in the Android kernel illustrates a classic division of labour between development teams and security teams.
"Vulnerabilities will inevitably slip through the cracks if security testing mechanisms aren’t incorporated into the testing phase of software development. Using a secure development life cycle (SDLC), including more and better security testing, means that more vulnerabilities will be located and eliminated before products are released," he said.
Craig Young, principal security researcher at Tripwire, told SC Media UK that the real irony of this situation is that Google’s own automated bug hunting tools found the kernel bug and got it fixed in 2017 and yet the Pixel 2 is vulnerable in 2019.
"This shines a light on a dark spot in Google and Linux’s overall security postures. Google found the bug and reported it to the kernel developers who fixed it in their actively supported kernels. Unfortunately, there was no apparent process in place to communicate the need to port this security fix to the kernel source used for various existing devices," he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout