Google is warning owners of some popular Android devices to keep a close eye on their gear following the release of an exploit for an unpatched flaw.
A post from the Chocolate Factory's in-house Project Zero crew outlines the flaw, a use-after-free bug in the Android Binder driver that could be exploited by a local app to elevate privileges.
In fact, strike the "could" because Google bug-hunters say the flaw is already being targeted in the wild by criminals to compromise some Android devices, including the Pixel 2, Samsung S7-S9, Moto Z3, and Huawei P20, among others.
While the flaw in question is unpatched in the Android kernel, the underlying use-after-free issue has been known for years and was patched. In the more recent versions of Android, however, it re-emerged. There is currently no CVE number associated with the flaw.
"This issue was patched in Dec 2017 in the 4.14 LTS kernel, AOSP Android 3.18 kernel , AOSP Android 4.4 kernel , and AOSP Android 4.9 kernel," notes Project Zero's Maddie Stone, "but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review."
Microsoft has made an Android phone. Repeat, Microsoft has made an Android phone. A dual-screen foldable mobe not due until late 2020READ MORE
Early speculation by the team is that the in-the-wild exploits were the work of NSO Group, the Israeli security software firm known for dealing in malware for government agencies. When contacted by The Register for comment, however, NSO group firmly denied the allegation.
"NSO did not sell and will never sell exploits or vulnerabilities," a spokesperson said.
"This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives."
As the vulnerability must be exploited locally, users and admins will go a long way towards protecting themselves by making sure they do not download any apps from untrusted sources and keep their systems updated to block against other flaws that could be chained with this bug to create remote attacks. ®