Tue. Nov 12th, 2019

Google reveals the latest Android zero-day vulnerability

2 min read

This week, Google revealed the zero-day vulnerability discovered by the company in Android. This zero-day vulnerability can be used to attack Android 8.x and above. Google found that although this vulnerability could theoretically be used on all devices, the actual test found that only some devices could attack this vulnerability.

Affected include Pixel 2 with Android 9 and Android 10 preview, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones, and Samsung S7, S8, S9.

Android devices malware

After analysis, Google found that to successfully exploit this vulnerability, it must install malware on the user device in advance, and then operate the vulnerability through malware. Since the malware has been installed, it doesn’t really make sense to exploit the vulnerability. After all, attackers can use malicious software to launch and steal user information. Google also said that while the vulnerability can not be executed remotely.

This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation,” a spokesperson for the Android Open Source Project said. “Any other vectors, such as via web browser, require chaining with an additional exploit.

We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update,” the Android team said.

For devices that have upgraded Android 10, Google can fix it directly through Google Play, so those users have actually fixed this vulnerability. Users of older versions of Android need to wait for the manufacturer to provide security updates, and Google said it has released security updates and notified major manufacturers. Therefore, users only need to periodically check for updates and upgrade with new versions.

Via: ZDNet