Late last Thursday Google disclosed information concerning a zero-day (defined) vulnerability being used to exploit Google Android powered smartphones e.g. Google Pixel and phones from Huawei, Samsung and Xiaomi.
Be cautious of the apps you download in advance of a patch being made available. The web browsing means of exploitation requires a pre-existing exploit. A list of vulnerable phones is provided below. Update your smartphone to the October 2019 patch when it becomes available.
What details of this vulnerability have been released?
The following smartphones have been confirmed as vulnerable:
1) Pixel 1 and 2 with Android 9 and Android 10 preview
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) Oppo A3
7) Moto Z3
8) Oreo LG phones (run same kernel according to website)
9) Samsung Galaxy S7, S8, S9
Not Vulnerable: Google Pixel 3 and 3a
The vulnerability is a local privilege escalation vulnerability (defined) making use of a use after free (defined) issue in the Android binder driver (defined) which has the potential to provide an attacker with full control of the device. The first means of exploiting this vulnerability is via a rogue app. Google Project Zero researcher Maddie Stone adds further details for the second means of exploitation: “If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox”.
In other words, in order to use the second means of exploitation an attacker would already need to have loaded an exploit on your phone that they know the device is vulnerable, making this avenue of attack less likely.
How can I protect my device from this vulnerability?
Try to only download your apps from the Google Play store in advance of a patch becoming available. Read the reviews of the app to make certain it is a genuine app that works as intended. Scan any new app with trusted anti-malware software before you open it (while I acknowledge anti-malware software is not 100% accurate it can provide further protection over not using it).
Install the October 2019 security update when it becomes available for your smart device.