Maddie Stone, a member of Google's Project Zero hacking team, warns of a serious security vulnerability affecting several Android devices - including Google's own models. It's supposed to be a fitting exploit, writes Stone, a program that says the gap can be exploited.
According to Stone, the exploit is attributed to the NSO Group, a notorious cybersecurity company based in Israel. The company could have used it himself or provided one to their customers. That an exploit is assigned directly to a company is rather rare.
The bug in the Android system allows attackers to take over the devices, if the user has previously installed a defective app, it says in Stone's remarks. Alternatively, however, an attack from a distance via the Chrome browser should be possible. However, the gap must be combined with the exploitation of a second vulnerability.
According to Maddie Stone, the gap for the widespread Google smartphones Pixel and the Pixel 2 and their XL variants poses a security risk. Also prone to at least the Huawei P20, the Xiaomi Redmi 5A, the Xiaomi Redmi Note 5, the Xiaomi A1, the Oppo A3, the Moto Z3, LG smartphones with Android 8 (Oreo) and the Samsung smartphones S7, S8 and S9.
Newer pixel devices are protected
The Android team has rated the problem as serious, writes Stones Project Zero colleague Tim Willis. Google Pixel 3 and 3a devices are therefore not affected by the gap. On the older, endangered Pixel models the weak point in the context of the regular October update is to be closed.
When and if even the smartphones of the other manufacturers will be protected against the attack remained unclear at first. The Android team said that the partner companies had been informed and that a patch had been made available to them.
Google's Project Zero typically gives manufacturers 90 days to close reported gaps. In the current case, it was decided, however, after seven days publicly to draw attention to the problem, since the gap is already actively exploited by attackers.
The tech magazine "ArsTechnica" comes in the light of the gap to the assessment that owners of vulnerable Android devices should not panic. The chance to become the target of the described attacks is extremely low. But it could be quite useful to do without the installation of urgently needed apps, they say. Similarly, one could consider not using the Chrome browser on vulnerable devices until a security update of the mobile phone manufacturer has been recorded.