Android Zero-Day Attack Can Hijack Pixel, Samsung Phones: What to Do

Galaxy S9
(Image credit: Tom's Guide)

A slew of recent Android phones, including widely used Samsung Galaxy and Google Pixel models, are vulnerable to a serious Android security flaw, Google's Project Zero has revealed. The flaw may affect most pre-2019 Android phones.

In a blog post on Thursday (Oct. 3), Project Zero researchers said that they've discovered an actively exploited zero-day vulnerability that gives malicious hackers root access to a targeted Android phone

According to the report, hackers can hijack phones by getting users to install a malicious app or by combining it with another vulnerability in the Chrome browser that renders content and delivers the payload.

A zero-day vulnerability is one that is released before software developers can prepare a fix, giving users no immediate protection. 

Active attack

According to Project Zero, there's evidence that the exploit is "allegedly being used or sold by" the NSO Group, an Israeli company that specializes in sells spyware to intelligence and law-enforcement agencies.  The NSO Group denied that in an email to Ars Technica.

The Project Zero researchers tested the exploit and proved that it works on the Google Pixel 1 and Pixel 2 phones, but does not work on the Pixel 3 or 3a. 

After examining the source code of the Android builds used by various recent models, the researchers determined that the exploit should also work on many other phones released before the fall of 2018, including Samsung's Galaxy S7, Galaxy S8, and Galaxy S9 models, as well as the Huawei P20, Motorola Moto Z3, Oppo A3 and Xiaomi A1, Redmi 5A and Redmi Note 5. 

The Project Zero blog post also lists "Oreo LG phones," which might mean that recent LG phones running Android 8 Oreo are vulnerable. The researchers noted that their list is by no means "exhaustive" and that the flaw likely affects many more Android phones.

Most pre-2019 Android phones may be affected

The underlying flaw is in the Linux kernel and was patched with kernel version 4.14 in late 2017, which made its way into the official Android builds in early 2018 and from there to Android devices released later that year. 

But the fix was never pushed out to older phones as part of the official Android monthly security patches, including even some models released later in 2018 such as the Galaxy S9 and the Moto Z3.  By implication, all devices released before the fall of 2018 are likely vulnerable.

Although Project Zero researchers called the threat a "high severity" concern, they added that the process isn't necessarily simple for hackers. You would need to install an app or get targeted by two different exploits, although there is no shortage of malicious Android apps even in the Google Play store.

“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” Project Zero researcher Tim Willis said. “Any other vectors, such as via web browser, require chaining with an additional exploit.”

In the Android ecosystem, actually getting updates pushed to your phone, especially an older phone, can be difficult. Google will be patching the vulnerability in its imminent October Android security update for all of its Pixel phones, but there's no guarantee that other affected devices will get a quick fix, or any fix at all.

If you have an Android phone released before 2019, be careful to not download apps from unknown or untrustworthy sources. If you happen to be using Chrome on an affected device, consider using another browser. And consider running antivirus software on your phone -- here's our list of the best Android antivirus apps.

Don Reisinger is CEO and founder of D2 Tech Agency. A communications strategist, consultant, and copywriter, Don has also written for many leading technology and business publications including CNET, Fortune Magazine, The New York Times, Forbes, Computerworld, Digital Trends, TechCrunch and Slashgear. He has also written for Tom's Guide for many years, contributing hundreds of articles on everything from phones to games to streaming and smart home.

Latest in Android Phones
The Find my People feature
Android Find My can now track your friends and family — here's how to use it
Google Pixel 9 Pro in hand
Epic Google sale on Pixel 9 Pro, Pixel Watch and more — 9 deals I’d buy with up to $400 off
samsung galaxy s25 edge mockup at galaxy unpacked
Galaxy S25 Edge is overhyped — I want Samsung to make this phone thinner instead
CAD renderings of the Google Pixel 10 Pro
Latest Google Pixel 10 leak could make you want to skip it altogether
android 16 logo on a samsung galaxy smartphone
One of Apple’s most controversial AI features could be coming to Android phones
Google Pixel 9a render
Google Pixel 9a pre-orders could come with a free Google TV Streamer — what we know
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Tuesday, March 18 (#646)
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
The Find my People feature
Android Find My can now track your friends and family — here's how to use it
Foldable iPhone concept image
Are you sitting down? Here’s what the foldable iPhone could cost
Samsung HW-Q990D soundbar
Samsung’s flagship 2024 soundbar just got bricked by a new firmware update — don’t update
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users