Google has stated a warning of an Android zero-day flaw actively being exploited in the wild. This flaw impacts 18 Android models including Google’s flagship Pixel, Samsung, Huawei and Xiaomi.
Project Zero member Maddie Stone wrote in a technical post . which said the unpatched vulnerability(CVE-2019-2215) can be exploited in several ways. In one scenario, a target is enticed to download a rogue app. The second method of infection includes chaining the bug with an additional vulnerability in code the Chrome browser uses to render content.
“It is a kernel privilege escalation [bug] using a use-after free vulnerability, accessible from inside the Chrome sandbox,” Stone said. “The vulnerability is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain, leading to us suspecting Binder as the vulnerable component.”
A patch for the vulnerability is expected in the next few days as part of Google’s October Android security update.
A list of vulnerable devices include: Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung S7, Samsung S8 and Samsung S9.