The Android zero-day was supposedly patched two years ago
AN ANDROID SECURITY FLAW that was supposedly patched two years ago is being exploited to take control of targets’ smartphones.
The vulnerability is being used in exploits developed by NSO Group, a company that specialises in finding and selling security flaws to nation-state APTs, or one of its customers.
That’s according to Google Project Zero security engineer Maddie Stone, who described it as a use-after-free security flaw.
It had supposedly been patched in December 2017, but millions of widely used Android phones remain vulnerable – possibly because a CVE for the security flaw was never published and, hence, the bug hasn’t been as actively tracked as it should have been.
Vulnerable devices include all models of Google Pixel and Pixel 2, the Samsung Galaxy S7, S8 and S9, the Huawei P20 and various models of Xiaomi, Oppo and Motorola (Lenovo) smartphones. According to Google, new patches that will, at least, find their way to Pixel smartphones will be released in the October Android security update. It’s not clear whether the other devices listed will also be patched.
According to Stone, the bug and exploit methodology includes (but is not limited to) the following:
- It is a kernel privilege escalation using a use-after free vulnerability, accessible from inside the Chrome sandbox;
- The bug was allegedly being used or sold by the NSO Group;
- It was patched in the Linux kernel from 4.14, but without a published CVE;
- CONFIG_DEBUG_LIST breaks the primitive;
- CONFIG_ARM64_UAO hinders exploitation;
- The vulnerability is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain, leading to us to suspect Binder as the vulnerable component;
- The exploit requires little or no per-device customisation.
However, Stone also admitted that, so far, Project Zero had not got hold of an exploit sample. “Without samples, we have neither been able to confirm the timeline nor the payload.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox,” wrote Stone in her advisory.
In a statement, Google indicated that it would devise a mitigation for the security flaw as soon as possible.
“This issue is rated as ‘high severity’ on Android and by itself requires installation of a malicious application for potential exploitation.
“Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”
While Android had a reputation for lax security, Google has done much to tighten up in recent years – so much so that Android security flaws now fetch a premium in the open market over Apple iOS flaws. Nevertheless, new Android security flaws of varying sophistication are emerging all the time.
A large element of Android insecurity, though, is down to a lack of rigorous patching by the large number of providers, not to mention the mobile operators that supply them. µ