Xiaomi, Samsung, Google Pixel Smartphones Can Be Hacked Via Remote Access; No Security Patch Available

“Software updates often fix security problems, so download updates as soon as they become available” – California SBDC

Recently a zero-day vulnerability has been found which affected certain older kernel versions of Android, in fact, it is affecting a wide range of popular smartphones like Redmi Note 5, Google Pixel 2, Mi A1, Samsung Galaxy S9 and more. 

What Does This Mean?

According to a research done by Maddie Stone, Google’s security researcher, a local in-device privilege scope can be exploited by this vulnerability.

It can cause an attack in which there is a rise in the privilege of scope in the attacker’s app or service to gain root access of the concerned phone.

In simple words, the vulnerability is designed in such a way that the attackers can take full control of the affected devices.

How Does It Affect A Device?

The report says that only a local-level exploit is possible if the malware is injected through physical sources. 

But there is also a possibility of injecting it through the internet as well. So the attacker has full remote access to these affected devices.

Certain versions of the Android kernel which have not been updated to the very latest ones are the target of this vulnerability. 

The most important part is, even the most recent software patches on phones with older kernels would be rendered ineffective against this vulnerability.

To prove this, Stone demonstrated by showing the flaw in action on a Google Pixel 2 smartphone running Android 10 with September 2019 security patch.

Which Devices Are Affected?

According to  Google Project Zero blog, the list of affected devices includes Huawei P20, Google’s Pixel 1, 1XL, 2 and 2XL, Xiaomi‘s Redmi 5A, Redmi Note 5 and Mi A1, Moto Z3, Oppo A3, all LG smartphones running on Android Oreo, and Samsung’s flagships from the past three years — Galaxy S7, Galaxy S8 and Galaxy S9. 

Some of the mobiles listed here are very popular nowadays which makes this riskier, since it extends to the possibility of widespread surveillance being enforced, through Android.

What Are The Consequences?

The shocking fact as stated by Google that it’s already been used by Israel’s surveillance agency, the NSO Group, who might be offering its services to the government itself or to officially backed agencies.

What Is Plan Of Action?

While talking about the action plan against this vulnerability “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners, and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”

So it is better to look out for the latest update on your phone(s), which should be rolling out over the next couple of weeks. (reference News18) 

The updates will most probably deliver the critical security patch, covering yet another critical zero-day bug that could still have a devastating effect without even we know about it.