A month after revealing a set of previously unknown “zero-day” vulnerabilities in iOS, Google LLC has exposed a zero-day flaw affecting its own Android operating system.
The search giant published a technical description of the bug late Thursday. Project Zero, the Google security team behind the report, usually waits 90 days before publicizing a software vulnerability to give the software’s developers time to fix it. But in this case, the group made the disclosure after just a week because it found evidence that the bug is being actively exploited by hackers.
Project Zero team member Maddie Stone wrote that the bug “was allegedly being used or sold by the NSO Group,” an Israeli maker of surveillance software previously named as the creator of a zero-day WhatsApp exploit. The firm denied its involvement, telling Ars Technica that “this exploit has nothing to do with NSO.”
In any case, the bug exists in a part of the operating system known as the binder driver. It’s a communications mechanism that Android apps use to exchange data with one another. According to Google, hackers can weaponize the binder driver to launch a so-called privilege escalation attack and gain complete control of a device.
There are two ways to exploit the bug. An attacker could trick a user into downloading a malicious app or deliver the payload via an infected web page.
Google so far has identified 18 Android devices affected by the vulnerability, including its own Pixel and Pixel 2 phones as well as Samsung Electronics Co. Ltd.’s Galaxy S9. The Alphabet Inc. subsidiary warned that even more devices could potentially be vulnerable.
That doesn’t include the newer Pixel 3 that Google launched last year, which has been confirmed not to be affected, and Samsung’s latest Galaxy S10 flagship phone is absent from the list of exploitable devices too. That’s because the vulnerability found its way into Android via the Linux kernel. The Linux kernel’s developers resolved the issue in early 2018, but Google somehow ended up bundling an older, vulnerable version into a few Android releases.
The company will release a patch for affected Pixel phones this month and has notified other Android handset makers about the exploit.
Photo: Unsplash
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.