UnPatched Critical Zero-Day Vulnerability Impact Several Android phone models
Google has revealed that it has found evidence of an uncorrected
vulnerability in the Android operating system that is being used in real-world attacks currently named (CVE-2019-2215).
In December 2017, older Android versions were patched, even before the CVE number was provided to the flaw. However, Stone now found evidence that the vulnerability impacts newer OS versions on at least 18 Android phone brands, including Samsung, Xiaomi, Huawei, Pixel, Moto, LG, and others.
The researcher also mentioned in her report that the infamous spying group NSO is actively exploiting the vulnerability in the wild – the organization is known to be hunting zero-days, exploiting them, and then selling the gathered information to governments.
The publication about the exploit was announced on October 4, just seven days after it was reported to the Android security research team.
The two and half-year-old patch only applied to Android versions 3.18, 4.14, 4.4 and 4.9 fixed the flaw at the time. However, Stone said that many users running the most updated version of Android are still vulnerable. In particular, the following models that are running Android 8.x and later, are affected:
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi-Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7, S8, S9
The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.
It only requires untrusted app code execution to exploit CVE-2019-2215. I’ve also attached a screenshot (success.png) of the POC running on a Pixel 2, running Android 10 with security patch level September 2019
Google said that the update would be available in the upcoming days. Nevertheless, the flaw, as of now, is still exploitable in the wild.