Zero-day Android vulnerability can give hackers full control of devices

7 Oct 2019

Image: © Markomarcello/

Google’s Project Zero has disclosed the details of a vulnerability that can grant hackers full control of an Android device.

Reports have emerged that a zero-day vulnerability in Google’s Android mobile operating system is allowing hackers to assume full control of at least 18 different phone models, including four different Pixel models.

Maddie Stone, a member of Google’s Project Zero research group, wrote in a post that the vulnerability was being actively exploited either by cyber intelligence company NSO Group or one of its customers. NSO representatives have denied this, however, saying that the “exploit has nothing to do with NSO”.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device,” Stone wrote. “If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.”

Samsung Galaxy S7, Samsung Galaxy S8, Samsung Galaxy S9, Xiaomi Redmi 5A and Xiaomi Redmi Note 5 are just some of the phones listed as vulnerable.

High-severity issue

According to a statement posted by a member of the Google Project Zero team, the issue is rated as “high severity” on Android. It added that the vulnerability “requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel.”

The vendor note also stated that Pixel 3 and 3a devices are not vulnerable, and that Pixel 1 and 2 devices will be receiving updates for the issue as part of the October update.

As of Friday (4 October), Project Zero team members reported evidence of the exploit “in the wild”, de-restricting the conversation surrounding the vulnerability and allowing it to come to light.

Project Zero reports that almost 96pc of the issues it discovers are fixed prior to being de-restricted. The team initially hides details as it processes a report to the relevant bodies, however, after a certain amount of time has passed, it makes the technical description of the vulnerability publicly accessible.

Eva Short was a journalist at Silicon Republic