An Android security flaw that was supposedly patched two years ago is being exploited to take control of targets’ smartphones.
In a blog post on Thursday (Oct. 3), Project Zero researchers said that they’ve discovered an actively exploited zero-day vulnerability that gives malicious hackers root access to a targeted Android phone.
According to the report, hackers can hijack phones by getting users to install a malicious app or by combining it with another vulnerability in the Chrome browser that renders content and delivers the payload.
According to Google, the exploit “requires little or no per-device customization,” but does require the installation of “a malicious application” either “inside the Chrome sandbox” or via an untrusted app store or source. That means it can’t be remotely executed, so you can stay safe by simply being vigilant.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Project Zero member Maddie Stone said in the post. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
Here’s a “non-exhaustive” list of which phone models running Android 8 or later could be affected by this exploit:
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung Galaxy S7, S8, S9
The zero-day is now being tracked as CVE-2019-2215. The bug tracker entry from the Project Zero team holds proof-of-concept code and additional details for security researchers who want to reproduce the bug and test other devices.
Because the vulnerability requires either an additional app to open up the exploit or a second exploit within the Chrome web browser for it to work, it shouldn’t be difficult to keep your phone safe even if you haven’t received the October 2019 security patch yet. Just be mindful of what third-party apps you install and refrain from installing apps from untrusted sources.