Recently, researchers have discovered an unpatched zero-day vulnerability in Android systems. The vulnerability targets most of the latest smartphones from popular brands. What’s more troublesome is that the researchers have noticed its under active exploitation.
Unpatched Android Zero-Day Vulnerability Found
Reportedly, Google Project Zero researchers have come up with a tricky Android flaw. They have discovered an unpatched Android zero-day vulnerability that is also under active exploitation. The bug isn’t a problem for users with older smartphones. Rather it poses threat to most new phones, including ones from big brands.
According to a bug report, there is a use-after-free vulnerability (CVE-2019-2215) in the Android Kernel. Upon an exploit, the bug could allow an attacker to gain root access to the target device. As described,
binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed
from the corresponding epoll data structure. When the process subsequently exits, the epoll cleanup
code tries to access the waitlist, which results in a use-after-free.
While Google patched this flaw already in previous Android versions, it resurfaced in recent versions. Specifically, it affects devices running Android 8.x and later. Therefore, it doesn’t pose a threat to older smartphones, rather the more recent models.
This issue was patched in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4], but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review.
Vulnerable devices include (but not limited to):
- Pixel 2 with Android 9 and Android 10 preview
- Xiaomi A1
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Oppo A3
- Oreo LG phones
- Samsung S7, S8, S9
- Moto Z3
The researcher also found exploitation of the bug in the wild, because of which, they publicly disclosed the bug. The PoC for the exploit is also available in the bug report.
Patch May Arrive Soon
Google assured that the bug isn’t as dangerous as it sounds. In fact, it is rather difficult to exploit. According to a statement from Android,
This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit.
They also confirmed that the patch is available with Android Common Kernel. While the Pixel 3 and 3a devices are safe, Pixel 1 and 2 will receive fixes for this bug with October updates.