Unpatched Android flaw exploited by attackers, impacts Pixel, Samsung, Xiaomi devices

A privilege escalation vulnerability affecting phones running Android 8.x and later is being leveraged by attackers in the wild, Google has revealed.

Interestingly enough, the flaw was patched in late 2017 in v4.14 of the Linux kernel and in Android versions 3.18, 4.4, and 4.9, but the fix was apparently never propagated to later Android versions.

Who’s affected?

Maddie Stone, a Senior Security Engineer on the Android Security team at Google, revealed that a number of Android devices are affected/vulnerable, including Pixel 2 with Android 9 and Android 10 and the following ones with Android 8.x:

• Huawei P20
• Xiaomi Redmi 5A
• Xiaomi Redmi Note 5
• Xiaomi A1
• Oppo A3
• Moto Z3
• Oreo LG phones
• Samsung S7, S8, S9

The list might not be exhaustive, as it was compiled based on source code review. Stone has included a local PoC exploit in the bug report so other devices can be tested and the list updated (if needed).

Who’s abusing CVE-2019-2215 and when will it be fixed?

The bug was initially not given a CVE number, but is now tracked as CVE-2019-2215.

Its exploitation in the wild was flagged by researchers with Google’s Threat Analysis Group (TAG) and external parties, and the exploit is believed to originate with NSO Group, an Israel-based company that specializes in lawful surveillance software and whose offerings (most notably the Pegasus mobile spyware) are abused by oppressive regimes to spy on political dissidents, activists and journalists.

According to Stone, CVE-2019-2215 is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.

“We do not currently have a sample of the exploit. Without samples, we have neither been able to confirm the timeline nor the payload,” she added.

The Android team said that the issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation.

“Any other vectors, such as via web browser, require chaining with an additional exploit,” they noted. “We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”

Users of other vulnerable Android-running mobile devices will likely have to wait a bit longer for the fix.

While the likelihood the overwhelming majority of Android users would be targeted is slight, they should (as ever) avoid installing apps they are not sure about.