Security researchers with Google’s Project Zero team have disclosed an Android vulnerability that appears to have been exploited in the real world, ZDNet reports. The issue affects phones manufactured by Samsung, including the Galaxy S7, S8, and S9, as well as the Huawei P20, Pixel 1, and Pixel 2. An Android spokesperson said that an attacker would either need to get their target to install a malicious application or pair the attack with a second exploit via a program like a web browser. At that point, the exploit achieves “full compromise” of a device.
Instances of the exploit being used in the real world were discovered by Google’s Threat Analysis Group, which suggests that the exploit may have been used or sold by the NSO Group, an Israeli-based spyware vendor which was most recently behind a piece of spyware that can be injected into a phone via a WhatsApp call.
When contacted for comment by The Verge, the NSO Group denied that it had any involvement with the exploit. “NSO did not sell and will never sell exploits or vulnerabilities,” a spokesperson said, “This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”
Since the bug is already being used by an exploit out in the real world, Google’s security researchers only gave the Android team seven days to fix it before making their findings public. The bug was first disclosed to the Android team on September 27th, and it was made public today.
In an odd twist, the researchers said that the same bug had previously been patched in December 2017, but it appears to have reemerged in subsequent versions of the Android kernel.
Here’s the full list of devices that Project Zero believes are affected by the hack. However, the team notes that this list is “non-exhaustive”:
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Android Oreo LG phones
- Samsung Galaxy S7
- Samsung Galaxy S8
- Samsung Galaxy S9
In a comment responding to the bug, a spokesperson for the Android team confirmed that it was a “high severity” issue. They added that a patch is now available on the Android Common Kernel and that Android partners have been informed. “Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update,” they said, adding that Pixel 3 and 3A devices are not affected.
Update October 4th, 10:45AM ET: Updated with statement from NSO Group denying any involvement with the exploit.