Researchers have discovered a zero-day kernel privilege escalation bug that can result in the full compromise of certain Android devices and is apparently being exploited in the wild.
Devices known to be affected by the high-level, use-after-free vulnerability include the Pixel 1, 1X:, 2 and 2 XL; the Huawei P20; the Xiaomi Redmi 5A; the Xiaomi Redmi Note 5; the Xiaomi A1; the Oppo A3; the Moto Ze; Oreo LG phones; and the Samsung S7, S8 and S9.
According to a vulnerability report published by Project Zero security researcher Maddie Stone, the same bug was previously patched back in December 2017 in the 4.14 LTS kernel, the AOSP Android 3.18 kernel, the AOSP Android 4.4 kernel and the AOSP Android 4.9 kernel. But apparently it was not fixed universally across all Android devices.
Citing Google's Threat Analysis Group (TAG), Stone writes that the vulnerability is exploitable via the Chrome sandbox, noting that the in-the-wild exploit is attributable to Israel-based NSO Group, a top commercial provider of cyber offensive tools. NSO denied any involvement, according to a report from ZDNet.
Officially designated CVE-2019-2215, "The vulnerability is exploitable in Chrome's renderer processes under Android's 'isolated_app' SELinux domain, leading to us suspecting Binder as the vulnerable component," Stone notes. "If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox."
The Android team reportedly has said a patch will be made available as part of the October operating system update.