Google’s Project Zero team is warning Pixel, Pixel 2, Galaxy S9, Huawei P20, and millions of other Android phone users that a new zero-day vulnerability could let a hacker take full control of your phone. And what’s worse, there is evidence that it is being actively exploited in the wild.
As first spotted by Ars Technica, the issue was first patched in the December 2017 security update, but several phones are “still vulnerable based on source code review.” According to Google, the phones at risk include:
- Pixel and Pixel 2
- Samsung Galaxy S7, S8, and S9
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- LG phones running Android 8 Oreo
According to Google, the exploit “requires little or no per-device customization,” but does require the installation of “a malicious application” either “inside the Chrome sandbox” or via an untrusted app store or source. That means it can't be remotely executed, so you can stay safe by simply being vigilant. As researcher Maddie Stone explains, “The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”
Google escalated the bug from a 30-day public disclosure to a 7-day one after discovering that it was actively being exploited by the NSO group, a known Israeli-based “developer of exploits.” As Ars Technica explains, the group was previously connected to the Pegasus spyware that cropped up in 2016 on mobile devices.
In a statement, Google assured that a fix will be available soon: “Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.” The Pixel 3 and 3a are not affected by the exploit.
While the likelihood of this vulnerability impacting your phone is still slim, you should probably stay away from untrusted apps until the October security update arrives.