An Android flaw that was discovered in 2017 and codenamed “zero-day”. The bug was patched in the Android 8.x releases but was that patch was carried over to the latest versions thereby leaving them vulnerable.
The vulnerability affected devices such as Pixel 1 and 2, Huawei P20, Samsung Galaxy S7, S8, and S9 and other devices.
Zero-day was discovered by Google’s Project Zero Team and the Threat Analysis Team believes that the vulnerability was exploited by Israel’s NSO Group a company that has been accused in the past of attacks on Human rights and political activists.
However, Google claims that zero-day is not readily a danger unless an accompanying malware had been installed on the device to exploit the vulnerability first before real damage can then be carried out. What Google is really saying is that it “requires installation of a malicious application for potential exploitation,”. It means zero-day cannot be triggered by a Web browser or other applications without an enabling malware in place.
Google has made the mistake in the past of announcing an Android flaw before notifying its partners which often leaves these partners offended not to mention that their devices on the market immediately become a target and the companies have to race hackers to release an update before serious damage is done.
However, this time around the problem was announced seven days after its discovery, seven days in which Google duly notify its partners giving them ampul time to react. The company said that it notified Android partners and made the patch available for the Android Common Kernel. “Pixel 3 and 3a devices are not vulnerable, while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update,” the team added. Other devices affected are the Xioami Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3 and the Moto Z3.