Android devices hit by zero-day exploit Google thought it had patched

Google has admitted that some Android smartphones have recently become vulnerable to a serious zero-day exploit that the company thought it had patched for good almost two years ago.

The issue came to light recently when the Google’s Threat Analysis Group (TAG) got wind that an exploit for an unknown flaw, attributed to the Israeli NSO Group, was being used in real-world attacks.

Digging deeper into the exploit’s behaviour, Project Zero researcher Maddie Stone said she was able to connect it to a flaw in Android kernel versions 3.18, 4.14, 4.4, and 4.9 that was fixed in December 2017 without a CVE being assigned.

Somehow, that good work was undone in some later models – or never applied in the first place – leaving a list of vulnerable smartphones running Android 8.x, 9.x and the preview version of 10.

The flaw is now identified as CVE-2019-2215 and described as a:

Kernel privilege escalation using a use-after-free vulnerability, accessible from inside the Chrome sandbox.

The result? Full compromise of unpatched devices, probably served from a malicious website without the need for user interaction, in conjunction with one or more other exploits. It also requires that the attacker has installed a malicious app.

Affected models:

  • Google – Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL
  • Samsung – S7, S8, S9
  • Xiaomi – Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1
  • Huawei – P20
  • Oppo – A3
  • Motorola – Moto Z3
  • LG – Oreo LG phones

This official list is probably not exhaustive, so just because your phone isn’t on the list doesn’t mean it isn’t vulnerable. However, Google has confirmed that the Pixel 3 and Pixel 3a are not affected. Google added:

We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

For most users, a fix will ship with the October Android security update next week after phone makers have checked it works on their devices.

The unusual element of this story is the alleged involvement of the NSO Group, a commercial organisation connected to an attack in May affecting Facebook’s WhatsApp.

Many of the attacks involve campaigns against Non-Governmental Organisations (NGOs) using a spyware tool called Pegasus popular with nation-state intelligence services.

NSO has, of course, claimed that its tool is used legitimately although how it can be certain it hasn’t fallen into the wrong hands has never been made clear.