Google’s security researchers recently discovered an active “zero-day” Android vulnerability that was believed to have already been patched two years ago.
Researchers at the company’s Project Zero team said the problem affects phones manufactured by Samsung (including the Galaxy S7, S8, and S9), as well as the Huawei P20, Pixel 1, and Pixel 2.
The bug was marked as having been patched in December 2017, but apparently the fix didn’t translate to newer versions of the operating system.
“We have evidence that this bug is being used in the wild,” Google’s security researchers said in a post.
Kernel privilege escalation bug
The company publicly disclosed the details of the bug just seven days after uncovering it due to its severity. However, Google said the vulnerability requires the installation of a malicious application to compromise a device, which reduces the risk of an attacker getting control of a mobile device.
“This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation,” wrote Tim Willis, a Project Zero member. “Any other vectors, such as via web browser, require chaining with an additional exploit.”
The company said it has notified Android partners and made a patch available on the Android Common Kernel.
"Pixel 3 and 3a devices are not vulnerable, while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update," Google’s security researchers added. Other devices affected are the Xioami Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3 and the Moto Z3.