A slew of recent Android phones, including widely used Samsung Galaxy and Google Pixel models, are vulnerable to a serious Android security flaw, Google's Project Zero has revealed. The flaw may affect most pre-2019 Android phones.
In a blog post on Thursday (Oct. 3), Project Zero researchers said that they've discovered an actively exploited zero-day vulnerability that gives malicious hackers root access to a targeted Android phone.
According to the report, hackers can hijack phones by getting users to install a malicious app or by combining it with another vulnerability in the Chrome browser that renders content and delivers the payload.
A zero-day vulnerability is one that is released before software developers can prepare a fix, giving users no immediate protection.
According to Project Zero, there's evidence that the exploit is "allegedly being used or sold by" the NSO Group, an Israeli company that specializes in sells spyware to intelligence and law-enforcement agencies. The NSO Group denied that in an email to Ars Technica.
The Project Zero researchers tested the exploit and proved that it works on the Google Pixel 1 and Pixel 2 phones, but does not work on the Pixel 3 or 3a.
After examining the source code of the Android builds used by various recent models, the researchers determined that the exploit should also work on many other phones released before the fall of 2018, including Samsung's Galaxy S7, Galaxy S8, and Galaxy S9 models, as well as the Huawei P20, Motorola Moto Z3, Oppo A3 and Xiaomi A1, Redmi 5A and Redmi Note 5.
The Project Zero blog post also lists "Oreo LG phones," which might mean that recent LG phones running Android 8 Oreo are vulnerable. The researchers noted that their list is by no means "exhaustive" and that the flaw likely affects many more Android phones.
Most pre-2019 Android phones may be affected
The underlying flaw is in the Linux kernel and was patched with kernel version 4.14 in late 2017, which made its way into the official Android builds in early 2018 and from there to Android devices released later that year.
But the fix was never pushed out to older phones as part of the official Android monthly security patches, including even some models released later in 2018 such as the Galaxy S9 and the Moto Z3. By implication, all devices released before the fall of 2018 are likely vulnerable.
Although Project Zero researchers called the threat a "high severity" concern, they added that the process isn't necessarily simple for hackers. You would need to install an app or get targeted by two different exploits, although there is no shortage of malicious Android apps even in the Google Play store.
“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” Project Zero researcher Tim Willis said. “Any other vectors, such as via web browser, require chaining with an additional exploit.”
In the Android ecosystem, actually getting updates pushed to your phone, especially an older phone, can be difficult. Google will be patching the vulnerability in its imminent October Android security update for all of its Pixel phones, but there's no guarantee that other affected devices will get a quick fix, or any fix at all.
If you have an Android phone released before 2019, be careful to not download apps from unknown or untrustworthy sources. If you happen to be using Chrome on an affected device, consider using another browser. And consider running antivirus software on your phone -- here's our list of the best Android antivirus apps.