Google warns the users that Exploit requires little or no customization to fully root vulnerable phones. Vulnerability was first patched in Android kernel versions 3.18, 4.14, 4.4 and 4.9 on December,2017. Now newer versions of Android are also found to be vulnerable based on the source code review.
Google Zero Day Project researcher Stone says “The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,”. This vulnerability can be exploited in two ways. One is If user install the untrusted applications and second one is attacking via web. For online attack, Hackers would combine exploit with a second exploit, as this vulnerability is accessible through the sandbox. Attackers are exploiting a zero-day vulnerability in a 18 different phone models including the below phones.
Google confirms, these are the list of phones at risk:
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- LG phones running Oreo
- Samsung S7
- Samsung S8
- Samsung S9
Google’s Android team assured that Pixel 3 and 3a are not vulnerable to this issue and the Pixel 1 and Pixel 2 devices will be protected with the October security update. Also patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue. The schedule for other devices to be patched is not immediately clear.
If you are using any of these phones, you should probably stay away from the untrusted applications until the October security update arrives.