A new zero-day vulnerability was identified in the
vanilla Android operating system, affecting a large number of users and
devices. The exploit has likely already been used in the wild by the NSO Group,
an Israeli-based security company known for selling zero-day exploits.
Zero-day vulnerabilities are among the most dangerous
bugs developers find in apps and operating systems. Sometimes, researchers find
these types of vulnerabilities before anyone else learns about them, but that’s
not always the case.
The exploit has yet to receive a more interesting name, and
it’s referred to for now only by its Common Exposures and Vulnerabilities
identifier, CVE-2019-2215. It only requires the execution of untrusted app
code. Maddie Stone, the Google security engineer from Project Zero who identified
the problem, said the kernel privilege escalation is available from inside the
Chrome sandbox.
Anyone using Pixel 1, Pixel 2, Huawei P20, Xiaomi Redmi
5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, LG phones running Android
Oreo, and Samsung S7, S8, S9, is affected.
What’s unusual is that the bug was fixed in December 2017, without a CVE, in Linux 4.14 LTS kernel, AOSP android 3.18 kernel, AOSP android 4.4 kernel and AOSP android 4.9 kernel. This means the devices mentioned above are not the only ones affected, but all run older kernels.
“I received technical information from TAG and external parties about an Android exploit that is attributed to NSO group,” explained Stone in her Project Zero report. “The vulnerability is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain, leading to us suspecting Binder as the vulnerable component. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
There’s a bit of good news, as Google Pixel 3 and 3a phones are not affected by the exploit, and a patch in the upcoming October update should close the vulnerability for the rest of the Pixels. Users should keep in mind that the patch only arrives for the Android vanilla version. Any company that doesn’t use the same vanilla Android iteration will have to deploy its own patches.