# Attackers exploit 0day vulnerability that gives full control of Android phones



## P4-630 (Oct 4, 2019)

*Vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.*
_
Attackers are exploiting a zeroday vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night.

There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”


A “non-exhaustive list” of vulnerable phones include:
_

_Pixel 1_
_Pixel 1 XL_
_Pixel 2_
_Pixel 2 XL_
_Huawei P20_
_Xiaomi Redmi 5A_
_Xiaomi Redmi Note 5_
_Xiaomi A1_
_Oppo A3_
_Moto Z3_
_Oreo LG phones_
_Samsung S7_
_Samsung S8_
_Samsung S9_
_*High severity*
A member of Google’s Android team said in the same Project Zero thread that the vulnerability would be patched—in Pixel devices, anyway—in the October Android security update, which is likely to become available in the next few days. The schedule for other devices to be patched wasn’t immediately clear. Pixel 3 and Pixel 3a devices aren’t affected.

“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” Tim Willis, another Project Zero member, wrote, citing Android team members. “Any other vectors, such as via web browser, require chaining with an additional exploit.”

Google representatives wrote in email: “Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.”

The use after free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren’t explained in the post, the patches never made their way into Android security updates. That would explain why earlier Pixel models are vulnerable and later ones are not. The flaw is now tracked as CVE-2019-2215._









						Attackers exploit 0-day vulnerability that gives full control of Android phones
					

Vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.




					arstechnica.com


----------



## the54thvoid (Oct 4, 2019)

Untrusted Apps....

Says it all really. I know it's maybe not as clear cut but installing untrusted software is always associated with risk.


----------



## Vayra86 (Oct 4, 2019)

the54thvoid said:


> Untrusted Apps....
> 
> Says it all really. I know it's maybe not as clear cut but installing untrusted software is always associated with risk.



Play Store curation isn't flawless either though. Flashlight apps... and the endless fiddling with permissions... There have been malware reports on trusted apps too.

But, yes. Untrusted software should be avoided and people can use some more awareness on that.


----------



## eidairaman1 (Oct 4, 2019)

Visit xdaforums for help too


----------



## trparky (Oct 12, 2019)

Vayra86 said:


> Play Store curation isn't flawless either though.


That's an understatement man.

When it comes to vetting apps for the Google Play Store, the whole process is a freakin' joke! Apps have been approved only to have them removed months later for containing malware. And this hasn't happened a few times, it's happened *A LOT*. Considering how much money Google brings in on a yearly basis you'd think that they would be able to afford a proper app testing group so as to prevent this kind of stuff from happening. This is where Apple really outshines Google.

And before people will say that Google can just patch it via the Google Play Services, the answer to that would be... *NOPE!!!* This can only be patched via an OTA update since this is at a much lower level than Google Play Services can touch.

Sure, if you have a Google-branded device then you're going to be fine since they themselves can push updates out quickly. But if you have a Samsung? Yeah... um, good luck with that; you're going to need it.


----------



## Solaris17 (Oct 12, 2019)

Vayra86 said:


> Flashlight apps...



Flashlight would like access to:
- Contacts
- Light


----------



## INSTG8R (Oct 12, 2019)

/Chuckles in iOS 

BUT I just read there’s a Zero Day exploit in iTunes that’s recently been uncovered thankfully I removed that bloat from my PC a few months ago


----------



## trparky (Oct 12, 2019)

INSTG8R said:


> /Chuckles in iOS


Me too. I have an iPhone 11 Pro.


INSTG8R said:


> BUT I just read there’s a Zero Day exploit in iTunes that’s recently been uncovered thankfully I removed that bloat from my PC a few months ago


I'm kind of screwed there since I use Apple Music. The flaw has been fixed though.


----------



## Nuckles56 (Oct 12, 2019)

trparky said:


> Me too. I have an iPhone 11 Pro.


OT: How is the 11 pro so far as I'm looking at getting one


----------



## trparky (Oct 12, 2019)

Nuckles56 said:


> OT: How is the 11 pro so far as I'm looking at getting one


Oh, I love it myself. I've not really had a chance to play with the new camera setup yet so I can't say anything about that. I did have an iPhone 7 Plus before so in comparison the iPhone 11 Pro is... stupid quick (that's a good thing!). The screen itself, being an OLED screen, is seriously awesome. The whites are vivid, colors _pop_, and the blacks are inky black. Oh, and battery life is _absolutely_ amazing.


----------



## micropage7 (Oct 12, 2019)

Solaris17 said:


> Flashlight would like access to:
> - Contacts
> - Light


That's why i usually removing full network access on that app, but too bad the app pulled out from play store


----------



## Darmok N Jalad (Oct 13, 2019)

Flashlight? Does Android not have that built-in? It’s been a while since I’ve used an Android phone. I’m so used to it being on the lock screen on iO, so I figured it was standard issue these days.


----------



## Solaris17 (Oct 13, 2019)

Darmok N Jalad said:


> Flashlight? Does Android not have that built-in? It’s been a while since I’ve used an Android phone. I’m so used to it being on the lock screen on iO, so I figured it was standard issue these days.



I think it was more of just an example. Super arbitrary apps asking for access to things that are not relevant.


----------



## IceShroom (Oct 13, 2019)

P4-630 said:


> Attackers exploit 0-day vulnerability that gives full control of Android phones
> 
> 
> Vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.
> ...


Reported by Arstechina says everything.


----------



## Space Lynx (Oct 13, 2019)

IceShroom said:


> Reported by Arstechina says everything.



Yep, Ars is one of the last places of quality.


----------



## potato580+ (Oct 13, 2019)

so should i care about my phone transaction?! nope, i belive bank security has a standart to get rid of this kind of thing


----------



## windwhirl (Oct 13, 2019)

Vayra86 said:


> Flashlight apps...



Wait. Flashlight apps? WTH? That's not part of the OS yet?

EDIT:  W10 has had it since forever. 






Vayra86 said:


> Untrusted software should be avoided and people can use some more awareness on that.



The most uphill battle I've ever fought. Maybe it's just my case, but more than once, if the person I was talking to wasn't either old or paranoid, people kind shrugged about potential risks, as if saying "so?".


----------



## robot zombie (Oct 13, 2019)

Darmok N Jalad said:


> Flashlight? Does Android not have that built-in? It’s been a while since I’ve used an Android phone. I’m so used to it being on the lock screen on iO, so I figured it was standard issue these days.


It does now. You slide down the top bar on pretty much any of them and it's right there with wifi, bluetooth, and so on. I can't remember when it became standard, but I remember having android phones maybe 5 years back and further that didn't have an embedded flashlight feature. Friends/and family had the same issue and had to use apps. Very few people I met ever had it by default... it was something to boast about if you did. But then other android phones released at the same time did. I think for some reason certain builds didn't have it... seeing what I've seen with certain manufacturers' custom android builds builds, there was worse seemingly-arbitrary crippling than that. No surprise there. They all seem to find a way to fuck something up one way or another.

Maybe I've got it backwards. It may not have been standard back then and some of the more perceptive manufacturers were baking it into their own builds. Come to think of it, some of the cheap tracfone-type models still don't have it. Maybe because a lot of those are older models or slimmed-down models running pretty old versions of android. Who knows? Either way, quite the absurd scenario.

But yes, I remember the permissions so many of them asked for. There was one that wanted basically everything... even voice and GPS. And a lot of them barely worked to begin with. Pretty ridiculous that any of them made it through, or than anybody used them. But people did, because your average person just ignores the permissions prompt completely. "You know you just gave that app permission to do whatever it wants with that camera looking at you, right?" "Bleh, I need it."

That's the thing about those flashlight apps. They all require camera access, due to the nature of their function. Kinda sketchy to have to give that to some no-name app. Huge oversight to no have had it standard for so long and leave it to whoever wants into your camera to half-bake a semi-working flashlight app.

Some of the most popular ones were absolute crap, on top of being a security risk. So ridiculous to need an app to control such a basic hardware function. Glad those days are over. I still am not a fan of play store, for so many reasons. Most of the apps on it seem to be pretty dodgy. I'd bet it's more dodgy ones than good ones. Too easy to get in and too lucrative. You'd expect something more professional and... rounded-out. But no... pretty much any non service or device specific app you want is probably iffy. It's about as trustworthy as ebay or alibaba.


----------



## notb (Oct 13, 2019)

Darmok N Jalad said:


> Flashlight? Does Android not have that built-in? It’s been a while since I’ve used an Android phone. I’m so used to it being on the lock screen on iO, so I figured it was standard issue these days.


What's so surprising about people trying alternatives?
Some people look for additional functionality (like strobe or signals).
Some people do it for fun.
Let them. 

Anyway, it was just an example. It is true that apps on Android have absurd permission requirements - even those coming from respected, large corporations.


----------



## Tegos (Oct 14, 2019)

Installing untrusted apps is pretty much the same as shooting yourself in the foot. 
Though that's not to say that even some Play Store "safe" apps aren't sketchy as hell. Google's quality control is about as effective as Steam Greenlight's quality control (as in, there is next to none.)


----------



## er557 (Oct 14, 2019)

been insalling 3rd prty apk's since forever, just keep two av's active in the device, google's play protect also scans apps


----------



## R-T-B (Oct 14, 2019)

er557 said:


> been insalling 3rd prty apk's since forever, just keep two av's active in the device, google's play protect also scans apps



Me as well.  Just know where and from whom it came.  Same as PC.


----------



## Tegos (Oct 14, 2019)

R-T-B said:


> Me as well.  Just know where and from whom it came.  Same as PC.


I mean, yeah, there's that too. 
As far as you know where you're downloading stuff from, you should be fine. In that sense it's pretty much the same as downloading PC software.


----------



## Totally (Oct 14, 2019)

the54thvoid said:


> Untrusted Apps....
> 
> Says it all really. I know it's maybe not as clear cut but installing untrusted software is always associated with risk.



You should have finished reading the second half of that sentence,  it can install itself when using chrome which isn't exactly an untrusted app.


----------



## trparky (Oct 14, 2019)

When it comes to the safety of apps on the Google Play Store, Google really should be getting off of their lazy asses with all that damn money they have in their coffers and do their damn jobs!!! This ain't no poor little company here, this is a company that's pulling in millions *per* business quarter ($136.22 *B*illion in 2018 alone!); they can afford it, don't tell me that they can't. They have the money and resources to make sure that every app released to the Play Store is fully vetted, they just choose not to do so and so months later apps need to be removed (often hundreds of them) all because of malware.

This is laziness, plain and simple. Google ain't doing their job!


----------



## johnspack (Oct 16, 2019)

When is this stuff getting patched?  I had wifi off for 2 weeks for weird reasons,  and turned it back on,  and got 2 huge updates on my s7 that required it booting to odin twice.
My system update shows its now at june 2019 security ect updates...  when did this thing  come out exactly?


----------



## eidairaman1 (Oct 16, 2019)

Darmok N Jalad said:


> Flashlight? Does Android not have that built-in? It’s been a while since I’ve used an Android phone. I’m so used to it being on the lock screen on iO, so I figured it was standard issue these days.



It is in 2014


----------

