Android security has come a long way in recent years. The promotion of monthly patches has kept many rising threats at bay while Google Play Protect largely bars malware from the Play Store. Despite these achievements, there are still instances where bad actors can exploit Android's code for nefarious purposes. Google's Project Zero team recently reported such an incident, and you may be at risk if you own one of the affected phones.
The vulnerability in question affects Android's kernel code, allowing a hacker to gain root access via a malicious sideloaded application. With root access, an attacker could manipulate privileges, steal data, and even tamper with the operating system.
Google originally discovered this vulnerability in 2017. A security patch released in December 2017 closed the exploit in the 4.14 LTS kernel, as well as the AOSP Android 3.18, 4.4, and 4.9 kernels. However, a handful of popular Android devices have been recently found to still be susceptible to this particular zero-day threat:
- Pixel 2 (Android 9 Pie and Android 10 preview)
- Huawei P20
- Xiaomi A1, Redmi 5A, Redmi Note 5
- Oppo A3
- Moto Z3
- LG phones (Android 8 Oreo)
- Samsung Galaxy S7, S8, S9
Google's Project Zero confirms this bug has been exploited on a number of active handsets, and it has flagged the flaw as a high priority. Impacted Pixel phones will receive a security patch to resolve the issue in October with the remaining devices on this list following as soon as the respective OEMs can roll out updates.
The vulnerability has been patched again. The 2019-10-06 patch level contains the fix, so if your device is affected and shows a notification for an update, you should accept it as soon as possible.