Stay frosty & alert: More Zero day's found in Android phones

Pooh · October 7, 2019

Another reason why not to randomly install apps - even ones from the Android App store. This day and age it's hard to know how many are out there that will be weaponized.

The list of affected devices includes:

Pixel 1
Pixel 1 XL
Pixel 2
Pixel 2 XL
Huawei P20
Xiaomi Redmi 5A
Xiaomi Redmi Note 5
Xiaomi A1
Oppo A3
Moto Z3
Oreo LG phones
Samsung S7
Samsung S8
Samsung S9

https://threatpost.com/google-warns-of-zero-day/148924

https://bugs.chromium.org/p/project-zero/issues/detail?id=1942

kltaylor · October 7, 2019

Good catch, @Pooh

VioletChepil · October 7, 2019

Thanks @Pooh for this I've just promoted it too!!

DG12 · October 8, 2019

Please excuse my ignorance.
Why is this called a "zero-day" bug.?
"...was patched in 2018 for versions 3.18, 4.4, and 4.9 of the Android kernel. "
++++++
from :https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
...This issue was patched in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4], but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review.
++++++

Does this mean that, although this vulnerability was discovered nearly 2 years ago, companies like Motorolo (Moto Z3), LG( Oreo) and Samsung ( S7, S8, S9) haven't sent out updates that include the fix?

Pooh · October 8, 2019

@DG12 I'm unsure if the full story is out yet, however it looks like the original vulnerability wasn't assigned a CVE and also wasn't backported into the Android monthly security cycle.

It's a zero day because it was being exploited before anyone knew about it. The fact it was patched previously is irrelevant given that it never made it into the relevant monthly updates and no-one realized.

DG12 · October 8, 2019

Thanks

Stay frosty & alert: More Zero day's found in Android phones

Comments

Categories