Israel’s NSO Group blamed
A security researcher at Google’s Project Zero, Maddie Stone, has identified “high severity” Android zero day that affects a wide range of fully patched modern smartphones, including Samsung’s Galaxy S9.
The bug was being actively exploited by attackers in the wild.
Stone, in a report Thursday, says Google’s Threat Analysis Group (TAG) and others have attributed the zero day to Israeli cyber intelligence firm NSO Group. (The company gained notoriety in May for a Whatsapp exploit).
Unusually for Android (a sprawling ecosystem of vendors, configurations and hardware/software variations that often results in exploits being limited to a subset of devices) the exploit requires “little or no per-device customization”.
Attackers need to either get a target phone to download an untrusted app, or use a second vulnerability in how the Chrome browser renders content in order to gain full access to one of the affected phones.
Kernel privilege escalation bug in Android affecting fully patched Pixel 2 & others. Reported under 7 day deadline due to evidence of in-the-wild exploit. @tehjh and I quickly wrote a POC to get arbitrary kernel r/w using this bug, released in tracker. https://t.co/x4Q1YxKczB
— Maddie Stone (@maddiestone) October 4, 2019
The Android zero day is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device, and appears to affect a wide range of phones including the Pixel 2, Huawei P20, Xiaomi Redmi 4 and 5, Oppo A3, Moto Z3, Oreo LG phones and Samsung’s S7, S8 and S9.
Stone wrote: “We do not currently have a sample of the exploit [as used by attackers]. Without samples, we have neither been able to confirm the timeline nor the payload.
She added: [The bug]… allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
Android said: “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation.
“Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”
The vulnerability (use-after-free; a form of memory corruption bug) that the attack partly relies on originally appeared in the Linux kernel and was patched in early 2018, for some reason without a tracking CVE.
The flaw is now CVE-2019-2215.
Google pushed out information about the issue seven days after reporting it privately to the Android team, rather than a customary 90 days, owing to evidence of real-world exploitation.