Security researchers exposed an unpatched Zero-Day flaw in Android devices. The flaw, which was discovered under active exploitation, targets most of the Android smartphones from popular brands.
According to Google’s Project Zero researcher Maddie Stone, the vulnerability named CVE-2019-2215 could allow an attacker to gain root access to the target devices. It’s said that the bug will not affect older smartphones.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox,” Maddie Stone said in an official statement. “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via a web browser, require chaining with an additional exploit.”
The researcher stated that the bug poses a threat to the latest smartphones running on Android 8.x, 9.x, and the preview version of 10. The affected models include, Google – Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL; Samsung – S7, S8, S9; Xiaomi – Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1; Huawei – P20; Oppo – A3; Motorola – Moto Z3, and LG – Oreo LG phones.
“We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7-day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update,” Google said in a statement.
Google stated that it will release a patch with its October Android security update shortly after phone manufacturers’ approval.
Security threats to Android devices have increased in recent times. According to security firm Check Point Software Technologies, more than half of modern Android smartphones, including models by Sony, LG, Samsung, and Huawei are vulnerable to a text-based phishing attack.
The malicious actors are using fake phone provisioning messages to trick Android phone users into accepting new settings that provide access to attackers. The researchers stated that the phishing attack is performed through a process called over-the-air (OTA) provisioning.
CheckPoint detailed the attack process as OMA CP (Open Mobile Alliance Client Provisioning) instructions, which is a special SMS sent by a mobile operator to new devices for a network connection. Attackers sending fake OMA CP messages to users, which allow them to allegedly access the victim’s email and web traffic, Check Point stated.