Skip to content
Naked Security Naked Security

Android devices hit by zero-day exploit Google thought it had patched

Android smartphones are vulnerable to a zero-day exploit that Google thought it had patched for good two years ago.
Written by
October 07, 2019
Naked Security Android CVE-2019-2215 Google Google Project Zero NSO Group Pegasus vulnerability zero day vulnerability

Google has admitted that some Android smartphones have recently become vulnerable to a serious zero-day exploit that the company thought it had patched for good almost two years ago.

The issue came to light recently when the Google’s Threat Analysis Group (TAG) got wind that an exploit for an unknown flaw, attributed to the Israeli NSO Group, was being used in real-world attacks.

Digging deeper into the exploit’s behaviour, Project Zero researcher Maddie Stone said she was able to connect it to a flaw in Android kernel versions 3.18, 4.14, 4.4, and 4.9 that was fixed in December 2017 without a CVE being assigned.

Somehow, that good work was undone in some later models – or never applied in the first place – leaving a list of vulnerable smartphones running Android 8.x, 9.x and the preview version of 10.

The flaw is now identified as CVE-2019-2215 and described as a:

Kernel privilege escalation using a use-after-free vulnerability, accessible from inside the Chrome sandbox.

The result? Full compromise of unpatched devices, probably served from a malicious website without the need for user interaction, in conjunction with one or more other exploits. It also requires that the attacker has installed a malicious app.

Affected models:

  • Google – Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL
  • Samsung – S7, S8, S9
  • Xiaomi – Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1
  • Huawei – P20
  • Oppo – A3
  • Motorola – Moto Z3
  • LG – Oreo LG phones

This official list is probably not exhaustive, so just because your phone isn’t on the list doesn’t mean it isn’t vulnerable. However, Google has confirmed that the Pixel 3 and Pixel 3a are not affected. Google added:

We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

For most users, a fix will ship with the October Android security update next week after phone makers have checked it works on their devices.

The unusual element of this story is the alleged involvement of the NSO Group, a commercial organisation connected to an attack in May affecting Facebook’s WhatsApp.

Many of the attacks involve campaigns against Non-Governmental Organisations (NGOs) using a spyware tool called Pegasus popular with nation-state intelligence services.

NSO has, of course, claimed that its tool is used legitimately although how it can be certain it hasn’t fallen into the wrong hands has never been made clear.

Read Similar Articles

10 Comments

Philosophical correction: – Many of the attacks involve campaigns against Non-Governmental Organisations (NGOs) “ab”using a spyware tool called “Microsoft” popular with nation-state intelligence services.

Hello, nothing to do with Android, sorry. just want to ask when sophos for macos catalina will be released ??? since I did not see any mac related pub….I asked here. sorry.
best wishes
zeke

The current product works on Catalina. There are some settings you need to change in Catalina itself to authorise our product to operate within Catalina’s new access control system – otherwise some files will be off-limits even to us:

https://community.sophos.com/kb/en-us/134552

All these exploits + with corrupt phone carriers + their sales sites selling SIM card numbers etc have caused consumers, like myself, to purchase phone after phone (for over decade) willfully manufactured &/or altered + sold to be unsafe also causing my USA identity etc 2B stolen etc. When will the consumer get reimbursed for unsafe phones purchased + harm caused?
I am again looking for two new mobile phones to buy + I will hope not be forced to buy android ones. In past I was told phones were not androids but turned out they were + I was not reimbursed.

> For most users, a fix will ship with the October Android security update next week after phone makers have checked it works on their devices.

Lol… no. “Most” Android users will never see this fix until they buy a new phone. Basically only Google’s own phones get timely security updates and only then for 2 – 3 years. Other flagships get some updates. Non-flagship current devices from Samsung are up to 6 months behind on security updates. And that is not even accounting for around half the Android devices that are in use but out of security updates at all

[URL removed]

yep, built in obsolesces. If goog cared at all, they would make Android upgradable independent or reseller. PC’s Winblows, Linux and Mac, doesn’t matter where you bought it, you can download the updates. Goog – hell no – make the suckers buy a new device.

Is there any way of checking if your specific phone / browser / OS combination is vulnerable? Would be nice if we had a site that checks your phone by actually performing a proof of concept hack.

How does one check to see if they’ve been compromised. I’ve McAfee antivirus on my S7 and use VPN when GPS is not on, does that not identity this compromise? What to do?

Well i hope someone will ransomware all the phone so our children and we can live a normal human life

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?