Security researchers at Google have found a severe security flaw on Android phones which affects several popular and high-end phones. The researchers believe that the vulnerability was supposed to be patched in December 2017 and could allow attackers to access a user’s phone without them knowing.
The list of affected devices include Google’s very own Pixel and Pixel 2 series in addition to the Samsung Galaxy S7, Galaxy S8, Galaxy S9, Huawei P20 series, Redmi Note 5, Mi A1, Redmi 5A, Oppo A3, Moto Z3 and LG phones running on Android Oreo. Google’s Project Zero team believes that the vulnerability might have been used by Israeli NSO Group which has previously been implicated for having infiltrated phones with spyware on WhatsApp.
In order to gain access to a user’s smartphone, the attacker would need the victim to install a malicious app or open a link in their web browser which will then give them full access to the device. It’s important to note that by full access, the attackers would gain the ability to explore the root directory of the smartphone.
Google’s AOSP team told ZDNet “This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit”.
The company’s Project Zero team says it gave the Android tea, seven days to fix the issue before going official. The issue was published to the public on October 4 but first disclosed to Android on September 27.
In case you’re using one of the devices listed above, look out for an upcoming security patch to prevent yourself from being targeted by the latest vulnerability.