A new 0-Day can be used to hack almost all Android phones available on the market
From the series: Another day, another zero-day vulnerability, comes the world’s most widely used mobile operating system, Android; which can now be hacked in no time.
The exploit for the high-severity security vulnerability, named CVE-2019-2215, has been made public today
This new Android zero-day vulnerability has been found by the Israeli NSO Group.
Nowadays android is more an more affected by critical flaws, now so long ago another zero-day was found in the Android kernel’s binder driver that can allow a local privileged hacker or app to escalate their privileges to gain root access to a vulnerable device and potentially take full remote control of the device.
Today’s vulnerability hits hard on any Android kernel released before April last year. Because of this, most Android devices manufactured and sold by a majority of vendors with the unpatched kernel are still vulnerable even after having the latest Android updates installed.
Some affected smartphone models :
Pixel 1
Pixel 1 XL
Pixel 2
Pixel 2 XL
Huawei P20
Xiaomi Redmi 5A
Xiaomi Redmi Note 5
Xiaomi A1
Oppo A3
Moto Z3
Oreo LG phones
Samsung S7
Samsung S8
Samsung S9
Exploit modus operandi:
According to cybersecurity researchers, the flaw can be accessed from inside the Chrome sandbox. Meaning that this new Android kernel zero-day vulnerability can be exploited remotely by combining it with a separate Chrome rendering flaw.
The exploit is made possible by a local privilege escalation vulnerability that gives hackers full compromise of a vulnerable device. If the exploit is delivered via the Web, it only needs to be paired with a renderer to make it fully remote.
Researchers warn that if the flaw is attached to a local exploit, it can be used to gain arbitrary kernel read/write when running locally.
Security recommendations:
Google will release a patch for this vulnerability in its October’s Android Security Bulletin, but the problem is that most affected devices would not likely receive the patch immediately, unlike Google Pixel 1 and 2.
Keep in mind that the flaw is rated High on severity. If the exploit hits then Android can hack itself by installing a malicious application without even knowing. Any other vectors, such as via web browser, require chaining with an additional exploit, which makes things more complicated for hackers to easily exploit an android device but not impossible.
All Android partners have been already notified, and the patches will be available for the Android Common Kernel ASAP. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue, experts say.