O Google found that a serious security breach in Android is being exploited by hackers to gain full control of vulnerable cell phones. The loophole, present in smartphones from Samsung, Xiaomi and even Google, allows a malicious application to obtain administrative permissions and originates in an old version of the Linux kernel.
The vulnerability is for privilege escalation, that is, code executed as an ordinary user gains greater permissions than it should. It was fixed in December 2017 in the Linux kernel, but for some reason it never made it into Android’s monthly security packages. Therefore, cell phones that run specific versions of the kernel (prior to 3.18, 4.4 or 4.9) are subject to failure.
According to Google, the list of vulnerable devices includes, but is not limited to, the following models:
It is possible to exploit the flaw in two ways: by installing a malicious application on the victim’s cell phone; or through online attacks, taking advantage of another vulnerability in the Chrome rendering engine. Google security researcher Maddie Stone, points that the breach is being exploited and that the NSO Group could be using or selling the exploit.
NSO Group is a company known for developing cyber espionage tools for governments around the world. Its main product is the Pegasus, which can activate a cell phone’s microphone and camera, search messages and collect location data. It is spyware sold to intelligence agencies in Europe, the Americas and the Middle East, advertised as a tool to fight crime and terrorism.
The Israeli company denies any involvement with the loophole discovered by Google and says it “does not sell and will never sell exploits or vulnerabilities”, adding that “our work is focused on developing products designed to help licensed intelligence and law enforcement agencies to save lives ”.
Although serious, the vulnerability should only be exploited on specific targets. Until it is fixed, users can take precautions to avoid installing suspicious applications and accessing the web on Android with a browser other than Chrome.
With information: Ars Technica.