Major Google Android Bug Lets Hackers Gain Full Control over Some of the World's Most Popular Phones

Some of the world's most popular smartphones are vulnerable to a major security vulnerability that allows attackers to fully takeover the handsets, researchers warn.

The flaw, which evidence suggests is still being actively exploited, can be abused to compromise devices from companies including Samaung, Huawei and Motorola. It has been linked to an Israeli spyware firm known as NSO Group, which sells hacking tools to covertly infiltrate phones.

The OS bug, which is known as a "zero-day" because it was previously-unknown to the companies involved, was found this month by cybersecurity experts at Project Zero, a division of Google.

"The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox," said researcher Maddie Stone.

In recent days, Project Zero members have been toiling over the Android OS code in an attempt to determine the exact nature of the flaw, and what type of smartphones are potentially vulnerable to its charms. "We have evidence that this bug is being used in the wild," experts warned.

Research indicates that impacted devices include the Pixel 1 and 2, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones and the Samsung S7, S8, S9. It is understood Pixel 3 and 3a devices, both from Google itself, are not vulnerable.

Samsung Galaxy S8
The Samsung Galaxy S8 during a showcase to mark the domestic launch of Samsung Electronics' latest flagship smartphone in Seoul on April 13, 2017. Getty/JUNG YEON-JE/AFP

Ars Technica reports the gap can be exploited by installing an untrusted mobile app. Project Zero confirmed in its advisory that it requires "little or no per-device customization" to take hold. It was not immediately what type of data the bug was being used to exfiltrate from devices, but prior NSO Group malware, such as Pegasus, was used to snoop on calls, texts and real-time audio.

The organization, which markets spyware to governments, police and security services, recently hit the headlines after its hacking tools appeared to be targeting Facebook's WhatsApp.

For years, human rights campaigners have warned the secretive firm has sold surveillance technology that was later used to spy on journalists and activists. In most instances, the operations have been highly-targeted so it remains unlikely the majority of users will ever be on the receiving end of its malware. The firm says its tools are used combat crime and terrorism.

Kernel privilege escalation bug in Android affecting fully patched Pixel 2 & others. Reported under 7 day deadline due to evidence of in-the-wild exploit. @tehjh and I quickly wrote a POC to get arbitrary kernel r/w using this bug, released in tracker.

— Maddie Stone (@maddiestone) October 4, 2019

To stay protected, users should ensure all new software patches are installed.

"This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation," Google Android said.

"Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update." The statement was obtained by Project Zero member Tim Willis.