Digital forensics specialists have revealed the existence of zero-day vulnerability in the Android operating system that, if exploited, could grant threat actors full control of at least 18 smartphone models from various manufacturers. Among them, there are four models of Google Pixel. The information was confirmed by Maddie Stone, a security researcher at Google’s Project Zero.
Stone mentions that there is evidence to demonstrate the active exploitation of this vulnerability: “Those responsible are exploit developers NSO Group or one of their clients instead”, she adds. In response, the company issued a statement claiming that they have nothing to do with the alleged exploitation of this vulnerability.
On the vulnerability, Project Zero’s digital forensics experts mention that this is an escalation of local privileges that allows the target device to be fully compromised. “If the exploit is delivered via web it only needs to be paired with an exploit renderer, as the vulnerability is accessible via sandbox,” Stone says.
To Stone’s claims were added some comments from digital forensics experts members of the team in charge of Android at Google, mentioning that the company will fix the vulnerability for all exposed Pixel smartphones in the update of the operating system for the month of October. There are still no estimated dates for correcting this flaw in all other manufacturers.
Members of the Android team also mentioned that this vulnerability is considered critical as it only requires the installation of a malicious app for exploitation. Project Zero research is still ongoing; so far, the list of smartphones exposed to exploiting this vulnerability includes:
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Teléfonos Oreo LG
- Samsung S7
- Samsung S8
- Samsung S9
Google’s Threat Analysis team informed Project Zero that based on the detected indicators of compromise it was possible to link the exploit of this vulnerability with NSO Group, an Israeli company dedicated to the development of exploits, spyware and other solutions, for sale to various governments.
Hours after Project Zero’s information was revealed, company representatives mentioned that” NSO Group has never sold or will sell vulnerabilities or exploits. The exploit for the recently revealed zero-day vulnerability has nothing to do with us.” Representatives insist that NSO Group focuses exclusively on developing software solutions to support the work of intelligence and law enforcement agencies around the world.
However, the company has been appointed for its involvement in the development and sale of highly sophisticated spyware. In 2017, digital forensics specialists from the International Institute of Cyber Security (IICS) reported the emergence in the cybersecurity world of a spyware known as Pegasus, capable of collecting messages, tracking location and activating the microphone and the camera of an iOS or Android device. This malware has been used in multiple espionage campaigns against journalists, activists and political dissidents.