Today Google disclosed a zero-day security vulnerability that affects many Android devices that are running Android 8.x or newer versions. The bug would allow an attacker to get ROOT access to a device, however, certain pre-conditions had to exist beforehand. Many wide-spread and successful devices are affected by many brands, including Samsung, Xiaomi, Huawei and even Google Pixel devices.
Even though the vulnerability is treated as “High”, there is no need to panic just yet. The vulnerability is not as dangerous as it could have been or as other zero-day vulnerabilities that existed in the past since it would not allow an attacker to do remote code execution. However, if someone had access to the phone, it could then install an application that would get ROOT access without the device actually being rooted. “We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update,” the Android team said. The vulnerability is however linked to real-world attacks. They believe that attacks by the NSO Group, an Israeli-based company that is known for selling exploits and surveillance tools.
The list of devices known to be vulnerable are as follows, but others, yet undiscovered smartphone may also be impacted:
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7, S8, S9