Google Finds Zero-Day Android Exploit Affecting Pixel, Samsung, and Mo

Google Finds Zero-Day Android Exploit Affecting Pixel, Samsung, and Mo

Another day, another security exploit report from Google’s Project Zero team. This time, the vulnerability is in the company’s own Android operating system, which will no doubt please Apple. The exploit affects a handful of phones from Google, Samsung, Huawei, and others. Google also notes there is evidence the exploit is already active in the wild.

The vulnerability is part of the Android system kernel and can allow an attacker to gain root access on a phone. That means they could access data, modify system apps, track your location, and more. Strangely, Google identified this vulnerability in late 2017 and added a patch to the Android code. However, the patch was not carried over into newer versions of Android (8.0 and later) on some phones.

Currently, Google has identified several phones that are exploitable via this kernel flaw, including but not limited to Google’s own Pixel 2, the Huawei P20, Xiaomi Redmi Note 5, LG’s Oreo phones, and the Samsung Galaxy S8 through S9 family. Because the exploit exists at a very low level in the system, it requires almost no per-device customization.

Google says Israeli security firm NSO Group has been actively using the exploit, a claim the company denies. NSO may simply be denying that it’s engaged in any hacks itself, and that may be true — it could simply be helping others to do it. NSO Group has long been under fire for making mobile phone hacking tools, which it sells to oppressive governments that use them to spy on activists and protesters.

Google’s proof of concept from the public bug tracker.
Google’s proof of concept from the public bug tracker.

A zero-day vulnerability is never a good thing, but this one could have been much worse. The only way to compromise a device with this vulnerability is by installing an app. It’s not a remote code execution flaw, so Google has rated the vulnerability as “high” instead of “severe.” Google’s Play Protect system knows about this exploit, so it should never show up in any sketchy Play Store apps. Thus, the only way to infect a device is to trick someone into sideloading an APK via the browser or some other app. Users will have to jump through some hoops to make that happen thanks to Android’s current security model.

Google’s latest October system patches squash this bug once and for all. Google devices like the Pixel 2 will probably get that update in the coming days. However, other vulnerable phones will have to wait for OEMs to create new customized builds of the OS. In the meantime, be careful what you install from shady corners of the internet.

Continue reading

Google Pixel Slate Owners Report Failing Flash Storage
Google Pixel Slate Owners Report Failing Flash Storage

Google's product support forums are flooded with angry Pixel Slate owners who say their devices are running into frequent, crippling storage errors.

Google Kills Free Photo Storage, Changes What Counts Toward Storage Caps
Google Kills Free Photo Storage, Changes What Counts Toward Storage Caps

Google has announced some significant changes to Photos, especially if you use the service for automatic backup.

Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities

Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.

Nvidia, Google to Support Cloud Gaming on iPhone Via Web Apps
Nvidia, Google to Support Cloud Gaming on iPhone Via Web Apps

Both Nvidia and Google have announced iOS support for their respective cloud gaming platforms via progressive web applications. Apple can't block that.