It was discovered by Google’s Project Zero team. Google’s Threat Analysis Group confirmed that the vulnerability has been used in real-world attacks.
Thankfully, this is not the worst Android exploit we have seen. ZDNet reports this is not an RCE (remote code execution), so it requires user interaction to take advantage of it. Unfortunately, it requires little or no per-device customization, so it should able to work on a wide range of smartphones.
Thus far, the list of impacted handsets includes the following:
- Pixel 1 and 2
- Huawei P20
- Xiaomi Redmi 5A, Redmi Note 5, A1
- Oppo A3
- Moto Z3
- Android Oreo LG phones
- Samsung Galaxy S7, S8, S9
Google’s analyst team said it believes the exploit is the work of NSO Group, an Israeli-based company known to sell exploits and surveillance tools. An NSO spokesman denies its involvement.
What’s interesting is that this vulnerability was originally patched back in 2017. In later Android updates, the bug reemerged in newer versions of the kernel and slipped under the radar.
A patch is now available on the Android Common Kernel and Android partners have been informed. The Pixel 1 and 2 will receive the Android exploit patch updates this month, but who knows when the other vendors will get around to patching their devices.