Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Kernel privilege escalation bug actively exploited in Android devices

Researchers have discovered a zero-day kernel privilege escalation bug that can result in the full compromise of certain Android devices and is apparently being exploited in the wild.

Devices known to be affected by the high-level, use-after-free vulnerability include the Pixel 1, 1X:, 2 and 2 XL; the Huawei P20; the Xiaomi Redmi 5A; the Xiaomi Redmi Note 5; the Xiaomi A1; the Oppo A3; the Moto Ze; Oreo LG phones; and the Samsung S7, S8 and S9.

According to a vulnerability report published by Project Zero security researcher Maddie Stone, the same bug was previously patched back in December 2017 in the 4.14 LTS kernel, the AOSP Android 3.18 kernel, the AOSP Android 4.4 kernel and the AOSP Android 4.9 kernel. But apparently it was not fixed universally across all Android devices.

Citing Google's Threat Analysis Group (TAG), Stone writes that the vulnerability is exploitable via the Chrome sandbox, noting that the in-the-wild exploit is attributable to Israel-based NSO Group, a top commercial provider of cyber offensive tools. NSO denied any involvement, according to a report from ZDNet.

Officially designated CVE-2019-2215, "The vulnerability is exploitable in Chrome's renderer processes under Android's 'isolated_app' SELinux domain, leading to us suspecting Binder as the vulnerable component," Stone notes. "If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox."

The Android team reportedly has said a patch will be made available as part of the October operating system update.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.