Attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night.

There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. NSO representatives, meanwhile, said the "exploit has nothing to do with NSO." Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

A “non-exhaustive list” of vulnerable phones include:

Pixel 1

Pixel 1 XL

Pixel 2

Pixel 2 XL

Huawei P20

Xiaomi Redmi 5A

Xiaomi Redmi Note 5

Xiaomi A1

Oppo A3

Moto Z3

Oreo LG phones

Samsung S7

Samsung S8

Samsung S9

High severity

A member of Google’s Android team said in the same Project Zero thread that the vulnerability would be patched—in Pixel devices, anyway—in the October Android security update, which is likely to become available in the next few days. The schedule for other devices to be patched wasn’t immediately clear. Pixel 3 and Pixel 3a devices aren’t affected.

“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” Tim Willis, another Project Zero member, wrote, citing Android team members. “Any other vectors, such as via web browser, require chaining with an additional exploit.”

Google representatives wrote in an email: “Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.”

The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren’t explained in the post, the patches never made their way into Android security updates. That would explain why earlier Pixel models are vulnerable and later ones are not. The flaw is now tracked as CVE-2019-2215.

Remember NSO?

Stone said that information she received from Google’s Threat Analysis Group indicated the exploit was “allegedly being used or sold by the NSO Group,” a developer of exploits and spyware it sells to various government entities.

In an email sent eight hours after this post went live, NSO representatives wrote: “NSO did not sell and will never sell exploits or vulnerabilities. This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”

Israel-based NSO gained widespread attention with the discoveries in 2016 and 2017 of an advanced piece of mobile spyware it developed called Pegasus. It jailbreaks or roots both iOS and Android phones so it can trawl through private messages, activate the microphone and camera, and collect all kinds of other sensitive information. Researchers from University of Toronto-based Citizen Lab determined that the iOS version of Pegasus targeted a political dissident located in the United Arab Emirates.

Earlier this year, Citizen Lab uncovered proof that NSO developed an advanced exploit against the WhatsApp messenger that also installed spyware on vulnerable phones, without requiring end users to take any action. An undercover sting targeting Citizen Lab researchers also had a major focus on NSO.

"As an NSO customer, I'd worry that NSO's notoriety has attracted the kind of heavy scrutiny from security teams and researchers that could lead to my most sensitive espionage operations being disrupted, and exposed," John Scott-Railton, a senior researcher at Citizen Lab, told Ars.

Project Zero gives developers 90 days to issue a fix before publishing vulnerability reports except in cases of active exploits. The Android vulnerability in this case was published seven days after it was privately reported to the Android team.

While the vulnerability reported on Thursday is serious, vulnerable Android users shouldn’t panic. The chances of being exploited by attacks as expensive and targeted as the one described by Project Zero are extremely slim. Just the same, it may make sense to hold off installing non-essential apps and to use a non-Chrome browser until after the patch is installed.

Post updated at 10/4/2019, 6:22 AM California time to add comment from NSO.