Google's Threat Analysis Group (TAG) says that a new Android zero-day is actively being exploited in the wild in attacks targeting vulnerable Google Pixel, Huawei, Xiaomi, Samsung, Oppo, and Moto smartphones.

This zero-day is a kernel local privilege escalation (LPE) bug using a use-after-free vulnerability in the Android binder driver that can be exploited by potential attackers to get full-control of unpatched devices.

"If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox," says Google Project Zero researcher Maddie Stone.

Even though the issue was previously patched in December 2017 in the 4.14 LTS Linux kernel without a CVE and by the Android Open Source Project (AOSP) in Android 3.18, 4.4, and 4.9 kernels, the bug was reintroduced in subsequent versions.

Kernel privilege escalation bug in Android affecting fully patched Pixel 2 & others. Reported under 7 day deadline due to evidence of in-the-wild exploit. @tehjh and I quickly wrote a POC to get arbitrary kernel r/w using this bug, released in tracker. https://t.co/x4Q1YxKczB — Maddie Stone (@maddiestone) October 4, 2019

Impacts Pixel, Samsung, Xiaomi, Huawei smartphones

According to Stone, the vulnerability tracked as CVE-2019-2215 affects "most Android devices pre-Fall 2018," requiring "little or no per-device customization."

The following Android devices having been confirmed as vulnerable on Project Zero's bug tracker:

• Pixel 1 and 2 (and XL) with Android 9 and Android 10 preview

• Samsung S7, S8, S9

• Huawei P20

• Xiaomi Redmi 5A

• Xiaomi Redmi Note 5

• Xiaomi A1

• Oppo A3

• Moto Z3

• Oreo LG phones

While Google's Project Zero normally discloses vulnerabilities after 90 days, actively exploited ones are subject to a 7-day disclosure deadline.

"After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public," said Stone.

PoC exploit demo

Attributed to the NSO Group

Google’s Threat Analysis Group says that "the bug was allegedly being used or sold by the NSO Group," an Israel-based firm known for developing, exploiting, and selling exploits and tools like the Pegasus Android and iOS spyware.

Although successful exploitation of this vulnerability could allow potential attackers to get full control of the compromised Android devices, it can't be used to compromise them remotely.

"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit," says an AOSP statement.

"We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update."