What you need to know

  • Google's Project Zero found the 0-day vulnerability in the wild.
  • It affects a bunch of devices, including the Galaxy S7, S8, S9, and Pixel 1 and 2.
  • Google's already issued a patch, but manufacturers will need to push it out manually.

Google's Project Zero security research team has reported a 0-day vulnerability in the Android kernel that affects a handful of phones from several vendors. This flaw can be used to help an attacker gain elevated privileges in the operating system, allowing access to any user or application data that might be stored on the device. It's also suspected that the bug was or still is being used "in the wild" to exploit devices in the real world and not just a researcher's desk.

This exploit was previously patched in December 2017 but has resurfaced in the kernel source code for some Android devices running Android 8.0 or later. Researchers believe, based on physical testing or source code review, the following devices are affected:

VPN Deals: Lifetime license for $16, monthly plans at $1 & more

Google also says that the exploit could possibly be used against other phones as it requires "little or no device customization" by the vendor, but these have not been manually reviewed as is the case with the list of devices above.

This could be from the real pros of phone hacking, the NSO Group.

Google claims that the bug "was allegedly being used or sold by the NSO Group." The NSO Group is an Israeli cybersecurity firm that provides governments around the world with technology that "helps them combat terror and crime." The company is also behind the notorious Pegasus mobile spyware, which allegedly was able to breach WhatsApp and is able to harvest user data from the servers of Apple, Google, Amazon, Facebook, and Microsoft. There are claims that software created by NSO Group was used in targeted attacks against human rights activists and journalists in several countries.

What should you do?

If you're using one of the affected devices, the good news is that this exploit can't just happen on its own and requires "user interaction." That means you will either need to install and accept permissions for a secondary app used to trigger the bug or accept a download if using a web browser, per Google.

"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update."

You'll want to follow the usual safe practices of not installing apps you don't trust and never accepting a download over the web you didn't ask for while you wait for an update from the company that made your phone. The Android team says that the patch is already available and that Pixel devices will be patched in the upcoming monthly Android Security Bulletin update for October.

More: How to properly secure your Android phone

Have you listened to this week's Android Central Podcast?

Android Central

Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.

  • Subscribe in Pocket Casts: Audio
  • Subscribe in Spotify: Audio
  • Subscribe in iTunes: Audio

We may earn a commission for purchases using our links. Learn more.