Google researchers discover critical Android security flaw; Pixel, Samsung, Huawei, Xiaomi phones affected
Google's Project Zero researchers have discovered a critical security flaw in its own Android that affected some popular smartphones across brands. Researchers claim the "zero-day" flaw was exploited in the real-world by Israel's NSO Group, known for the Pegasus interception software.
The flaw affected Google's recent Android 8.x and above versions. Interestingly enough, the bug was fixed in earlier iterations of Android (3.18, 4.4, 4.9) but resurfaced again.
According to Google researchers, the Android vulnerability affects the following phones: Samsung S7, Samsung S8 and Samsung 9, LG Oreo, Moto Z3, Oppo A3, Xiaomi Mi A1, Xiaomi Redmi Note 5 and Xiaomi Redmi 5A, Huawei P20, and Google's own Pixel 2 with Android 9 and Android 10.
Researchers also pointed out that while the security flaw was quite critical, it wasn't as dangerous as the other zero-day exploits.
"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit," an Android spokesperson explained on the official forum.
"We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update."
Saket Modi, CEO & Co-founder, Lucideus said that even though the vulnerability is severe and could be used to get root access to an Android device, users shouldn't need to be worried. He also recommended that users should avoid downloading apps from third-party app stores.
"Android Kernel 'mobile station modem (MSM)' is vulnerable to Use After Free vulnerability. This is a memory corruption gap that can be used to execute on arbitrary code or crash a cell phone. This Use After Free scenario can occur when "the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behaviour in the process which an attacker can take advantage further getting a root access to the device," he explained.
"A similar kind of vulnerability was identified with Microsoft and its Internet Explorer web browser since 2013, which has since received numerous security patches to update a variety of Use-After-Free security vulnerabilities," he added.