Older zero-day Android exploit still affects Google Pixel, Samsung Galaxy and other handhelds

Google Project Zero recently discovered that the previously patched zero-day vulnerability affecting Android smartphones in late 2017 is still posing security threat to a series of models that did not receive a proper code update. The affected models include: Pixel / Pixel 2, Samsung Galaxy S7/8/9, Huawei P20, Xiaomi Redmi 5A / Note 5, Xiaomi A1, Oppo A3, Moto Z3, plus all LG handhelds initially launched with Android 8.0 back in 2H 2017.

Unlike other security breaches that only pose a theoretical threat, this zero-day exploit is already being actively exploited by the Israeli-based NSO hacking team, which was responsible for the proliferation of the Pegasus smartphone spyware released in 2016. Google informs that the hackers can gain complete access of the affected phone through malicious code acquired via an untrusted app.

Researcher Maddie Stone explains that “the bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

Pixel and Pixel 2 devices will receive a security update in the next few days, while the other OEMs are strongly advised to update their handheld software in order to include the latest security patch issued by Google, which further cautions users of the aforementioned models to stay away from untrusted apps until the October security update is made available.