A dangerous zero-day vulnerability affecting at least a dozen different Android phone models is being actively exploited in the wild, according to Google's Project Zero team. Attackers who leverage the security flaw are able to gain full control of an affected Android phone. As of right now, no patch for the vulnerability exists (though one is being worked on).
Google's own first- and second-generation Pixel phones are among the Android models affected by this. So are a spattering of Samsung Galaxy phones. So far, Project Zero has confirmed the issue affects the following models...
- Pixel and Pixel XL
- Pixel 2 and Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung Galaxy S7, Galaxy S8, and Galaxy S9
This is a "non-exhaustive" list, so there could potentially be other Android handsets that are affected by the zero-day threat as well.
"The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox," Google's Project Team says.
Google's Android team rates this issue as being "High" severity, noting it requires the installation of a malicious application to be exploited. Other attack vectors, such as through a web browser, require chaining with an additional exploit.
"We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update," Google's Android team said.
The Project Zero team believes the hacking organization NSO Group is actively exploiting or selling the zero-day threat. This is the same organization that developed Pegasus, an exploit that can stealthily swipe cloud data from Amazon, Apple, Facebook, Google, and Microsoft, even when such data is hidden behind a two-factor authentication scheme.
Fortunately for those who are potentially affected by this, there are ways to avoid the threat while Google and its partners work on a patch. There are two ways this can be leverage—by installing a malicious, untrusted app, and through another exploit targeting an vulnerability in Chrome. It's good practice not to install untrusted apps, and users can further distance themselves from the threat by using a non-Chrome browser until a patch is rolled out.