A security vulnerability exists in the Android operating system installed on 18 models of smartphones currently on the market, including four models of Google Pixel, according to information security experts from the Google security team known as Project Zero. ».

The loophole is considered "highly sensitive and dangerous" because it allows attackers who recognize and exploit it to take full control of the phone, including "microphone", "camera" and contacts list, as well as call spying, among others.

They added that the vulnerability allows attackers and criminals to launch attacks of the type «Day zero», or attacks that do not have security solutions available immediately known, and take time to find a solution to repel, indicating that the quick solution is to avoid using the browser «Chrome», pending the introduction of security patches end current month.

This came in two publications published by two members of Google's security team, Maddy Stone and Tim Willis, on the team's blog, and then the site Ars Technica specialized in information security issues report on the incident.

The most prominent infected phones

According to the team, the most prominent smartphones running versions of the operating system «Android» infected with the new vulnerability «CV - 2019 - 2215», are «Google Pixel 1», «Google Pixel 1 XL», «« Google Pixel 2, Google Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Chow Me A1, and Abu Dhabi 3A Motorola Z3, LG Oreo, Samsung Galaxy S7, Samsung Galaxy S8 and Samsung Galaxy S9.

The nature of the loophole

Stone pointed out that the new vulnerability is a software bug in one of the components of the system «Android» that works on phones covered by security analysis, as this error allows attackers to gain access to privileges and privileges in the phone, up to full control, so that the attacker roam the messages Private, activate «microphone» and camera, eavesdropping and recording calls, and collect other sensitive information.

He said that the vulnerability appeared for the first time in the core core of the operating system «Linux», known as «Linux Kernel», and was corrected early last year, version (4.14) of the system, but the gap was not tracked and corrected in many previous versions of it, They are (4.9), (4.4) and (3.18), despite the use of this core kernel «Linux» in some versions of «Android», and did not enter the security patches for the system, which explains the emergence of the vulnerability in older models of phones Infected, especially Google Pixel phones, without appearing in newer versions.

Methods of infection

Stone pointed out that this vulnerability is exploited by attackers in two ways, the first is to download a tool or malicious advanced code on the phone, which is included in one of the mobile applications available on the Google Play store, and compatible with «Android» systems, where when you download this The application, meanwhile, downloads the malicious tool or advanced code, to exploit this vulnerability.

He added that the second way is to exploit a vulnerability he described as a «vulnerability» found in the browser «Google Chrome» dedicated to work on smart phones running the operating system «Android», where the vulnerability in the «Chrome» is exploited first, to access the operating system of the phone, Then access the vulnerability referred to through the protection box, and start to control the phone, by combining the basic vulnerability, and the vulnerability «Chrome» vulnerability in the code used by the browser to provide content.

High skills

For his part, Tim Willis confirmed the Stone hypothesis, adding that the vulnerability is very dangerous on the system «Android», but in itself requires the installation of an application or malicious code, in order to be able to exploit, or use other products, such as «Web» browsers to access A series of sequential additional images of the phone.

The technical nature of the new vulnerability suggests that while it is dangerous and highly sensitive, exploiting it requires high skills and a costly effort for attackers, which reduces the scope of attacks.

Updates and tips

The project team zero in Google «that» for the «Google» phones infected with the new vulnerability, will be introduced patches and security updates within the October update for the operating system «Android», which is scheduled to appear before the end of the month at the latest, but At the same time, he pointed out that the timetable for infected phones of companies other than «Google» is not yet clear.

The team stated that in general, from now until the introduction of security updates, all users who own infected devices, do two things, the first to avoid using the browser «Chrome», and rely on another browser, so as not to be used to access the vulnerability and control their phones, The second thing is not to download any unknown and unreliable applications from the Google Play Store, so that none of them include the code intended to exploit the new vulnerability.