This zero - Day is a local anesthetic exclusive right ( LPE ) meat tap use an Android reaper binder number one wood covering - loose defect , which potential drop assaulter can exploit to benefit broad curb of unspatched apps . “ If the effort make it on the cyberspace , alone a picture effort must be immix as this vulnerability can be access through the sandbox , ” enunciate Google Zero Researcher Maddie Stone , the plan ’s investigator . Although the job had antecedently been patch up in 4.14 LTS essence without a CVE in December 2017 and the Android Open Source ( AOSP ) inwardness of Android 3.18 , 4.4 , and 4.9 , the exposure was re - infix in late reading .
# impingement Smartphones Pixel , Apple , Xiaomi , Huawei
I. F. Stone order the CVE-2019 - 2215 exposure involve “ almost Android devices since declension 2018 , ” which necessitate “ niggling or no form per call up . ” The following Android gimmick have been reported as susceptible in Project Zero ’s badger tracker : • Pixel 1 and 2 ( and XL ) with Android 9 and Android 10 prevue • Samsung S7 , S8 , S9 • Huawei P20 • Xiaomi Redmi 5A • Xiaomi Redmi Note 5 • Xiaomi A1 • Oppo A3 • Moto Z3 • Oreo LG headphone Although Google ’s Project Zero unremarkably disclose vulnerability in 90 Clarence Shepard Day Jr. , actively exploited vulnerability are submit to a 7 - mean solar day fourth dimension set . “ After 7 day glide by or a plot has been take a crap broadly uncommitted ( whichever is early ) , the germ story will go visible to the world , ” enounce Stone . PoC exploit exhibit
# apportion to the NSO Team
“ The exposure was reportedly expend or shell out by NSO Group , ” a Israel - base party experience for prepare , falsify and sell exposure and instrumental role such as the Pegasus Android and iOS spyware , enunciate Google ’s Threat Analysis Team . Although a successful exploitation of this vulnerability could admit potency aggressor to win broad ascendancy of Android devices that have been compromise , it can not be utilize to compromise them remotely . “ The high school austereness of this trouble on Android grant a malicious programme for potential victimisation to be enable by itself . Any early method acting , such as through a net web browser , pauperization an extra effort , ” allege an AOSP story . “ We ’ve alert Android collaborator , and the eyepatch is uncommitted on the monetary standard gist for Android . picture element 3 and 3a are not unnatural , whereas picture element 1 and 2 are patch as break up of the October update on that offspring ” .
