A month after revealing a set of previously unknown “zero-day” vulnerabilities in iOS, Google LLC has exposed a zero-day flaw affecting its own Android operating system.

The search giant published a technical description of the bug late Thursday. Project Zero, the Google security team behind the report, usually waits 90 days before publicizing a software vulnerability to give the software’s developers time to fix it. But in this case, the group made the disclosure after just a week because it found evidence that the bug is being actively exploited by hackers. 

Project Zero team member Maddie Stone wrote that the bug “was allegedly being used or sold by the NSO Group,” an Israeli maker of surveillance software previously named as the creator of a zero-day WhatsApp exploit. The firm denied its involvement, telling Ars Technica that “this exploit has nothing to do with NSO.” 

In any case, the bug exists in a part of the operating system known as the binder driver. It’s a communications mechanism that Android apps use to exchange data with one another. According to Google, hackers can weaponize the binder driver to launch a so-called privilege escalation attack and gain complete control of a device.

There are two ways to exploit the bug. An attacker could trick a user into downloading a malicious app or deliver the payload via an infected web page. 

Google so far has identified 18 Android devices affected by the vulnerability, including its own Pixel and Pixel 2 phones as well as Samsung Electronics Co.  Ltd.’s Galaxy S9. The Alphabet Inc. subsidiary warned that even more devices could potentially be vulnerable.

That doesn’t include the newer Pixel 3 that Google launched last year, which has been confirmed not to be affected, and Samsung’s latest Galaxy S10 flagship phone is absent from the list of exploitable devices too. That’s because the vulnerability found its way into Android via the Linux kernel. The Linux kernel’s developers resolved the issue in early 2018, but Google somehow ended up bundling an older, vulnerable version into a few Android releases. 

The company will release a patch for affected Pixel phones this month and has notified other Android handset makers about the exploit.

Photo: Unsplash