Another zero day vulnerability has surfaced, and while it doesn’t affect all Android devices, it does affect some of the most popular ones from Samsung, Google, Xiaomi and others.
Google’s Project Zero team reported that the vulnerability is being exploited as we speak. But there is a fix coming in the next security update, which should be available starting on Monday.
What is the exploit in question?
Well, Ars Technica did a pretty good job of breaking down the exploit, and how there are actually two ways that the exploit can be used:
“The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.”
The bug is essentially a “local privilege escalation vulnerability that allows for a full compromise of a vulnerable device.” They went on to say that if the exploit is delivered over the internet, that it would only need to “be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
The fact that this exploit can take control of your entire Android system can be pretty scary, but in reality it would likely never happen to you. Only a small (very small) group of people may be targeted for this exploit.
Make sure that you install any security updates that are available for your device. And again, this is why installing those security patches are so important.
Which devices are vulnerable?
Quite a few devices, but mostly those released in 2017 or earlier.
The Pixel, Pixel XL, Pixel 2 and Pixel 2 XL from Google. Samsung’s Galaxy S7, Galaxy S8 and Galaxy S9 (somehow the Galaxy Note series are unaffected). The Xiaomi Redmi 5A, Redmi Note 5 and A1. As well as the Huawei P20, Oppo A3 and Moto Z3. Rounding out the list is all of LG’s phones running Android Oreo.
Normally Google would let companies know about a vulnerability 90 days before it discloses it to the public. This gives these companies the ability to fix the issue, before it details how the exploit can be used. Therefore protecting the users.
But when it has evidence that an exploit is being used, that is reduced to seven days.
This zero day vulnerability affecting Samsung devices is a pretty big deal, as that means that millions could be affected. Luckily the update should be available for those three phones in the coming days as well as the Pixel and Pixel 2’s patches coming on Monday. Google did also mention that the Pixel 3 and Pixel 3a lines are not affected by this exploit.