A new zero-day vulnerability was identified in the vanilla Android operating system, affecting a large number of users and devices. The exploit has likely already been used in the wild by the NSO Group, an Israeli-based security company known for selling zero-day exploits.
Zero-day vulnerabilities are among the most dangerous bugs developers find in apps and operating systems. Sometimes, researchers find these types of vulnerabilities before anyone else learns about them, but that’s not always the case.
The exploit has yet to receive a more interesting name, and it’s referred to for now only by its Common Exposures and Vulnerabilities identifier, CVE-2019-2215. It only requires the execution of untrusted app code. Maddie Stone, the Google security engineer from Project Zero who identified the problem, said the kernel privilege escalation is available from inside the Chrome sandbox.
Anyone using Pixel 1, Pixel 2, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, LG phones running Android Oreo, and Samsung S7, S8, S9, is affected.
What’s unusual is that the bug was fixed in December 2017, without a CVE, in Linux 4.14 LTS kernel, AOSP android 3.18 kernel, AOSP android 4.4 kernel and AOSP android 4.9 kernel. This means the devices mentioned above are not the only ones affected, but all run older kernels.
“I received technical information from TAG and external parties about an Android exploit that is attributed to NSO group,” explained Stone in her Project Zero report. “The vulnerability is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain, leading to us suspecting Binder as the vulnerable component. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
There’s a bit of good news, as Google Pixel 3 and 3a phones are not affected by the exploit, and a patch in the upcoming October update should close the vulnerability for the rest of the Pixels. Users should keep in mind that the patch only arrives for the Android vanilla version. Any company that doesn’t use the same vanilla Android iteration will have to deploy its own patches.