Earlier this week, Google’s Project Zero security analysis team revealed that cyber-attackers are exploiting a bug within Android OS, which affects 18 known phone models including three Samsung devices, namely the Galaxy S7, Galaxy S8, and Galaxy S9. The issue stems from a local privilege escalation vulnerability which can give attackers full control over an affected device.
Google’s Project Zero team labeled it a “high severity vulnerability,” but the good news is that a fix has already been devised and will roll out along with the October 2019 security patch. The need for secrecy might be why Google has yet to detail the October 2019 security patch in an official changelog. Either way, the company said its Pixel 1 and 2 will no longer be vulnerable after the update, adding that a patch has also been made available to partners to make sure that the problem doesn’t spread throughout the Android ecosystem.
Samsung already rolling out the October patch
The severity of the bug could also be the reason why Samsung already launched the October security patch for several Galaxy devices, even as the changelog was missing. So far, Samsung released the October 2019 security patch for the Galaxy S10 5G, the Galaxy A20e, Galaxy A50, as well as the A30 and Galaxy J2 Core.
Interestingly, all of these phones sans the Galaxy S10 5G follow the quarterly update schedule, and none of them have been mentioned by the Project Zero team as being vulnerable. Then again, the list of affected devices shared in Chromium isn’t final and there could be more phones that are or have been open to attacks.
The vulnerability is reportedly being exploited by the NSO Group
According to Project Zero, the vulnerability can be exploited either when a user installs an untrusted app, or via a web browser by combining it with another exploit residing in the code that determines how content is being rendered in Chrome.
Project Zero member, Maddie Stone, said there are reasons to believe the vulnerability is being exploited by the NSO Group or its clients. This is an Israel-based exploit developer and is known to sell its malicious product to various governmental bodies. A few years ago the same group was responsible for developing the “Pegasus” spyware for mobile devices, which was designed to jailbreak or root iOS / Android phones and expose private data.
How to keep safe
Because the vulnerability requires either an additional app to open up the exploit or a second exploit within the Chrome web browser for it to work, it shouldn’t be difficult to keep your phone safe even if you haven’t received the October 2019 security patch yet. Just be mindful of what third-party apps you install and refrain from installing apps from untrusted sources. Likewise, you might want to use a different mobile web browser instead of Chrome, at least until the vulnerability will be fully patched.