Are you holding an Android device in your hands? Perhaps you are reading this article on your Android phone? Android appears to be the most popular mobile operating system. In fact, in the second quarter of 2018, 88 percent of all smartphones sold to end users were phones with the Android operating system, according to Statista.
There’s an unpatched flaw in Android, and it’s actively exploited
So, any news regarding a serious vulnerability in Android, let alone an unpatched issue, should be treated as a threat alert. Reportedly, attackers have been exploiting such an unpatched vulnerability, and using it to take control of compromised devices, and eventually to drop spyware.
Owners of Huawei, Xiaomi, Samsung, LG and Google phones are affected by this flaw. But what exactly is it?
The unpatched vulnerability is described as a use-after-free memory condition in the Android Binder component, which can result in escalation of privileges. In fact, the issue was patched in Linux 4.14 LTS kernel, Android Open Source Project’s (AOSP) 3.18 kernel, AOSP 4.4 kernel and AOSP 4.9 kernel in December 2017 without receiving a CVE identifier. So why is still considered unpatched, if it was addressed two years go?
The reason is that AOSP (Android Open Source Project) takes care of the reference Android code, but individual device manufacturers, such as Google, don’t implement it directly. These manufacturers maintain separate firmware trees for their devices, which often run different kernel versions. In other words, every time a vulnerability is fixed in AOSP, manufacturers need to import the patch and apply it to their customized firmware code. The problem is that this process hasn’t been done for this particular issue, leaving the vulnerability unpatched.
Here’s a list of vulnerable devices, according to a report by Google Project Zero researcher Maddie Stone:
1) Pixel 2 with Android 9 and Android 10 preview
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) Oppo A3
7) Moto Z3
8) Oreo LG phones (run same kernel according to website)
9) Samsung S7, S8, S9
It is important to note, however, that the listed devices may not the only ones affected, as “most Android devices pre-Fall 2018 are affected”, according to Stone.
How can this unpatched Android flaw be exploited
Being a privilege escalation vulnerability, it can be leveraged by a malicious application to obtain root privileges, which shortly means full device control. The vulnerability enables an escape from the application sandbox, which is central to the security of Android. Furthermore, if the flaw is chained with a browser renderer exploit, it can be targeted from the Web, as the flaw can be leveraged through the browser sandbox.
What is worse is that researchers have evidence that the bug is being exploited in the wild:
We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
The good news is that AOSP has shared details with the affected vendors, and the patch is available for implementation. It depends on each vendor when the patching is done, and updated for affected devices are released. Google, for example, says that the vulnerability will be fixed for Pixel 1 and 2 in this month’s update.