MobileNews

Attackers get full control of Android phones, inc Pixel and Samsung models

Attackers are exploiting a zero-day vulnerability that allows them to take full control of the Android phone models identified below, including Pixel and Samsung ones.

Evidence that the vulnerability is actively being exploited was reported by Google’s Project Zero team …



notes that there are two different ways attackers can use the exploit.

There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

The list of Android devices known to be vulnerable to it includes the following, but this is described as ‘non-exhaustive,’ suggesting that others will come to light when tested.

NSO has in the past been able to use similar vulnerabilities to take full control of Android phones to not only access personal data, such as the content of messages, but even turn the phone into a bugging device.

Stone said that information she received from Google’s Threat Analysis Group indicated the exploit was “allegedly being used or sold by the NSO Group,” a developer of exploits it sells to various government entities. Israel-based NSO gained widespread attention with the discoveries in 2016 and 2017 of an advanced piece of mobile spyware it developed called Pegasus. It jailbreaks or roots both iOS and Android phones so it can trawl through private messages, activate the microphone and camera, and collect all kinds of other sensitive information.

Project Zero normally gives companies 90 days to fix a vulnerability before disclosing it, but it reduces this to seven days when it has evidence that exploits are already in use in the wild. Google says that it will patch the problem for Pixel 1 and 2 models in the next few days, and that the Pixel 3 and 3a are not affected.

If you have one of the affected phones, make sure you install the October Android security update as soon as it is available.

Check out 9to5Google on YouTube for more news:

Check out the latest Samsung phones at great prices from Gizmofashion – our recommended retail partner.


Author: Ben Lovejoy
Source: 9TO5Google

Related posts
Cleantech & EV'sNews

Einride deploys first daily commercial operations of autonomous trucks in Europe

Cleantech & EV'sNews

ChargePoint collaborates with GM Energy to deploy up to 500 EV fast chargers with Omni Ports

Cleantech & EV'sNews

How Ukraine assassinated a Russian general with an electric scooter

CryptoNews

Day-1 Crypto Executive Orders? Bitcoin Bulls Brace for Trump's Big Move

Sign up for our Newsletter and
stay informed!