Researchers of Google have detected an unpatched vulnerability on Google’s own Android OS which affects Pixel 1 and 2 along with many other devices including Huawei and Samsung. The company revealed the issue seven days after finding it, since the threat is a “zero-day” which is already being exploited in the wild. Surprisingly, the bug affects Android 8.x and later versions, got detected and patched in December 2017 on previous versions of the OS. However, they did not move over the fix to the newer versions.
Google’s Project Zero team discovered the exploit, also its Threat Analysis Group thinks that the bug was also used in the real world’s attacks by Israel’s NSO Group. They have been involved in attacks on human rights and political activists in the past.
Google says that this threat is not as dangerous as others in the past, as it “requires installation of a malicious application for potential exploitation,” said an Android representative. Which means that the threat can not be triggered via a web browser or an app without the help of additional exploits already being there in place.
The representative of Google said that the company notified Android partners and made the patch available for the Android Common Kernel. “Pixel 3 and 3a devices are not vulnerable, while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update,” the team added. Other devices affected are the Huawei P20, Samsung Galaxy S7, Xioami Redmi 5A, Xiaomi Redmi Note 5, Oppo A3 and the Moto Z3.