A new zero-day vulnerability has been discovered in Android. If exploited, the flaw could give a local attacker escalated privileges on the compromised device. According to TrendMicro’s Zero Day Initiative researchers Lance Jiang and Moony Li, the flaw is located within the v4l2 driver (Video4Linux 2) in Android.
Highly Critical Zero-Day Vulnerability in Android
When exploited, this component doesn’t validate the existence of an object prior to performing operations on the same object. A local attacker could exploit the vulnerability for privilege escalation in the kernel. Eventually, this could grant the attacker full access and control over the Android device. This makes the vulnerability highly severe, especially when it’s being disclosed publicly without a patch.
The vulnerability was first reported to Google on March 13, 2019. On Wednesday, the coordinated advisory was released to the public. It should be noted that when the company was first contacted by ZDI, it confirmed the issue and said it could be fixed, but without clarifying when a patch could be released.
“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,” the advisory said.
The vulnerability is made public at the same time when Google released its September Android Security Bulletin. The bulletin addresses two critical remote code execution bugs in the media framework. The zero-day in question, however, is disclosed separately and is not part of the bulletin.
It is curious to note that a couple of days ago Zerodium updated its pricelist and is currently offering bigger bounties for Android vulnerabilities. This happens for the first time ever, as iOS flaws have always been on the top of the mobile exploits list. From now, an Android zero-click exploit chain that requires no user interaction could get researchers a payout of up to $2.5 million, whereas the same exploit chain in iOS is estimated at $2 million.