- Google has valid grounds to believe that the NSO Group has found a way to exploit a flaw they thought they’d fixed in 2017.
- The particular exploit is a kernel privilege escalation that enables an attacker to fully compromise a device.
- There’s no fixing patch for it yet, and the wide range of affected manufacturers will make it’s plugging harder.
Google has issued a security alert, warning millions of Android phone users about a vulnerability that the NSO Group is already exploiting. The NSO Group is the notorious Israeli tech firm that produces surveillance tools, targeting iOS and Android devices. These sophisticated spyware tools exploit zero-day flaws that are undisclosed and unreported, enabling the companies to sell their services to other entities for a very high price. We recently saw a revelation connecting the U.S. Drug Enforcement Administration with the NSO Group, while in the past, we have discussed the company’s ties with Middle Eastern and other oppressive regimes.
This latest revelation concerns a vulnerability that affects the following models:
- Google Pixel 2
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Moto Z3
- All LG Phones Running Android Oreo
- Samsung S7, S8, and S9
With some of the above being among the most popular Android phones in existence, we’re talking about millions and millions of users being affected. The particular vulnerability has already been fixed since the December 2017 Android security update, but for an undisclosed reason, the security review on the above models shows that the exploit is still working.
The problem seems to be a kernel privilege escalation bug, allowing an attacker to gain system-level access. This opens the way to data exfiltration, spying, activating microphones and cameras, and leverage anything that a phone can do really. As a spokesperson of Google commented on a Project-Zero board, the exploit could be delivered via the web, and only needs to be paired with a renderer flaw in order to work. A locally installed application can also be used for the same purpose, but this would be a harder path for the attackers to take. The issue was categorized by Google’s researchers in the “high severity” level, as expected.
The reason why Google accuses NSO specifically remains unknown. Obviously, they have evidence in the hands, but they chose not to provide any more details about this either. There could be some connection with the recently disclosed Uyghur and Tibetan targeting operation, but this is just speculation at this point. Since the team had evidence that the bug is being exploited in the wild, the disclosure came seven days after its discovery, with a fixing patch nowhere to be seen yet.