Zero-day exploit discovered in Android core

Samsung, Xiaomi, Pixel and other smartphones are vulnerable to this bug.

Experts from Google Project Zero have discovered a zero-day exploit at the core of the Android operating system which would allow hackers to gain superuser access rights. The researchers believe that hackers have already started exploiting this vulnerability, which has been given the identifier CVE-2019-2215.

The issue originated in 2017, when this bug was fixed in version 4.14 LTS of the Linux core, which is the basis for the Android system. The patches entered into Android versions 3.18, 4.14, 4.4 and 4.9, but for some reason, the problem persisted in later releases. 

The existing exploit - a practical method of using the vulnerability - is quite universal, which makes it compatible with a wide range of devices. Android 8.x smartphones and above are under attack, particularly:

• Pixel 2 on Android 9 and Android 10 preview;
• Huawei P20;
• Xiaomi Redmi 5A;
• Xiaomi Redmi Note 5;
• Xiaomi A1;
• Оппо А3;
• Мото Z3;
• Oreo LG smartphones;
• Samsung S7, S8, S9.

Project Zero experts who discovered the exploit believe that it was developed by the famous Israeli company NSO Group which specializes in developing legal applications of zero-day exploits. NSO Group products are targeted towards different countries’ governments and intelligence agencies.

However, representatives of the company denied these allegations, claiming that NSO Group does not sell exploits or information on vulnerabilities, instead focusing on developing solutions for official intelligence missions and law enforcement agencies. 

The good news is that the vulnerability is not a high risk, as it can only be used after meeting several conditions. For instance, the victim must have a special hacker program installed on their device, and various remote attacks (for example, through a browser) require a large number of additional exploits to succeed.