Researchers Disclose Unpatched Android Zero-Day
CYBER NEWS

Researchers Disclose Unpatched Android Zero-Day

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

A new zero-day vulnerability has been discovered in Android. If exploited, the flaw could give a local attacker escalated privileges on the compromised device. According to TrendMicro’s Zero Day Initiative researchers Lance Jiang and Moony Li, the flaw is located within the v4l2 driver (Video4Linux 2) in Android.




Highly Critical Zero-Day Vulnerability in Android

When exploited, this component doesn’t validate the existence of an object prior to performing operations on the same object. A local attacker could exploit the vulnerability for privilege escalation in the kernel. Eventually, this could grant the attacker full access and control over the Android device. This makes the vulnerability highly severe, especially when it’s being disclosed publicly without a patch.

The vulnerability was first reported to Google on March 13, 2019. On Wednesday, the coordinated advisory was released to the public. It should be noted that when the company was first contacted by ZDI, it confirmed the issue and said it could be fixed, but without clarifying when a patch could be released.

Related: Google Refused to Patch a Vulnerability in Android Chrome for 3 Years

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,” the advisory said.

The vulnerability is made public at the same time when Google released its September Android Security Bulletin. The bulletin addresses two critical remote code execution bugs in the media framework. The zero-day in question, however, is disclosed separately and is not part of the bulletin.

It is curious to note that a couple of days ago Zerodium updated its pricelist and is currently offering bigger bounties for Android vulnerabilities. This happens for the first time ever, as iOS flaws have always been on the top of the mobile exploits list. From now, an Android zero-click exploit chain that requires no user interaction could get researchers a payout of up to $2.5 million, whereas the same exploit chain in iOS is estimated at $2 million.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...