Information Security News

Google’s Pixel 2 was being exploited – Android released monthly security information for October

We found that there was evidence that an unresolved vulnerability in Google ’s Pixel 2 was being exploited.

Google released monthly security information on October 7, 2019, for Android and revealed the contents of security patches that fix vulnerabilities discovered so far. Google Project Zero (hereinafter referred to as Project Zero) researchers disclosed information and urged caution, as evidenced by the evidence that unresolved vulnerabilities in Google’s “Pixel 2” were being exploited.

Android’s monthly security patches are distributed to user devices via partners such as carriers and device manufacturers. From Android 10, the “Google Play System Update” (Project Mainline) function allows important codes to be delivered directly to the terminal from Google Play without going through the terminal manufacturer.

The monthly patch for October follows the usual rules and consists of two sets of “2019-10-01” and “2019-10-05”. The patch level after “2019-10-05” is said to have fixed all the problems found so far.

Among them, the media framework component has three vulnerabilities classified as “Critical” with the highest risk level. If exploited, a remote attacker could execute arbitrary code using a specially crafted file.

On the other hand, Pixel 2’s vulnerability announced by researchers at Project Zero was confirmed to have been attacked in late September. There is information that is used and sold by the Israeli company NSO Group. NSO Group is said to be selling spyware products to government agencies in various countries.

According to the information posted on the Project Zero page, this vulnerability (CVE-2019-2215) was fixed in Android kernel versions 3.18, 4.4 and 4.9 in December 2017. However, after examining the source code, it was found that Pixel 2 (with Android 9 and Android 10 preview) with the latest patch still has vulnerabilities. In addition to Pixel 1 and 2, some models such as Huawei Technologies, Xiaomi, Motorola, and Samsung Electronics are also affected.

According to Google, this vulnerability has a high risk and can be exploited through malicious apps. It has been notified for Android partners and will provide patches through the Android Common Kernel, while Pixel 1 and 2 will be addressed in an October update.

Show More

Ali Hasan

Founder and Editor-in-Chief of 'Next Web Hack', Ali is an InfoSec Enthusiast. I'm currently completing my Bachelor in Science (B.S) in Computer Science from Iqra University.

Related Articles

Back to top button