Google has discovered an unpatched zero-day vulnerability in Android, its mobile operating system. The vulnerability affects the Google Pixel 1, Pixel 2, Huawei P20, Samsung Galaxy S7, Galaxy S8, Galaxy S9 and other devices. Since it is a zero-day exploit, the researchers disclosed it seven days after finding it. The bug affects smartphones running Android 8.x and later and is already being exploited in the wild. Interestingly, it is not a new bug and was discovered and patched in December 2017 on older versions of Android.
However, the patch did not get carried over to newer versions of Google‘s mobile operating system. The Project Zero Team discovered the exploit first and its Threat Analysis Group believes that it was used in real-world attack by Israel’s NSO Group. The company has been found to have used zero-day exploits on human rights and political activists. The report also notes that zero-day exploit is not as dangerous as others in the past. It cannot be triggered by a web browser or other app without additional exploits already being in place.
“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation,” a representative for Android said. “We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”
The Project Zero Team at Google has been responsible for bringing light to some of the prominent zero-day vulnerabilities. It has often irked other tech companies by going public with the revelation about the exploits. However, it is following the same due process with respect to exploit found on its own Android operating system. Other devices that are affected by this exploit include Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3 and the Moto Z3.