Stories
Slash Boxes
Comments

SoylentNews is people

Attackers Exploit 0-Day Vulnerability That Gives Full Control of Android Phones

posted by Fnord666 on Tuesday October 08 2019, @11:27AM   Printer-friendly

upstart writes:

Submitted via IRC for SoyCow9088

Attackers exploit 0-day vulnerability that gives full control of Android phones

Attackers are exploiting a zero-day vulnerability in Google's Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google's Project Zero research group said on Thursday night.

There's evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. NSO representatives, meanwhile, said the "exploit has nothing to do with NSO." Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

"The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device," Stone wrote. "If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox."

[...] "This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation," Tim Willis, another Project Zero member, wrote, citing Android team members. "Any other vectors, such as via web browser, require chaining with an additional exploit."

[...] While the vulnerability reported on Thursday is serious, vulnerable Android users shouldn't panic. The chances of being exploited by attacks as expensive and targeted as the one described by Project Zero are extremely slim. Just the same, it may make sense to hold off installing non-essential apps and to use a non-Chrome browser until after the patch is installed.

[Editor's Note: The link pointing to the comment made by Maddie Stone (2nd Para) has broken and now points to an empty page. We will try to find a replacement for it. The problem might be browser-specific, I am still investigating. --JR 13:08 UTC 8 Oct]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Attackers Exploit 0-Day Vulnerability That Gives Full Control of Android Phones | Log In/Create an Account | Top | 17 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Azuma Hazuki on Wednesday October 09 2019, @02:16AM (1 child)

    by Azuma Hazuki (5086) on Wednesday October 09 2019, @02:16AM (#904470) Journal

    You scramble the over-easy eggs? You...you *bastards!* This is too far!

    --
    I am "that girl" your mother warned you about...
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2, Funny) by DECbot on Wednesday October 09 2019, @07:59PM

    by DECbot (832) on Wednesday October 09 2019, @07:59PM (#904871) Journal

    They're outright despicable. I'm only passive-aggressive enough to serve them over-medium.

    --
    cats~$ sudo chown -R us /home/base