What you need to know
- A security researcher from Northwestern University discovered a new zero-day vulnerability.
- The vulnerability aims to affect the kernel part of Android devices.
- It could allow an attacker to gain arbitrary read and write access to devices such as Pixel 6/6 Pro and Galaxy S22 models.
Google is always in the process of securing Android by integrating industry-leading security features to keep the ecosystem secure. This is one of the main reasons why Android devices frequently get security patches. Google Play Protection is one such measure to prevent the best Android smartphones from downloading malicious apps.
Despite all these actions by Google, we see all kinds of vulnerabilities around the world in Android or computing systems. New loophole (via XDA Developers) was discovered by Zhenpeng Lin, a Ph.D. A student at Northwestern University focusing on kernel security.
According to Lin, it’s a zero-day vulnerability in the kernel that could pwn the Google Pixel 6, as he suggested in his tweet last week. It also indicates that this can also be done on the Pixel 6 Pro. Not only Pixel devices but any Android device based on kernel v5.10 can be affected, including devices from the recent Samsung Galaxy S22 series.
Latest Google Pixel 6 pwned with 0day in kernel! A random read/write was obtained to escalate privilege and disable SELinux without hijacking the control flow. The bug also affects the Pixel 6 Pro, other pixels are not affected 🙂 pic.twitter.com/UsOI3ZbN3L5 July 2022
In his tweet, Lin also noted that with the latest vulnerability, an attacker can gain arbitrary read-write access and has the ability to disable SELinux. The XDA Developers report also notes that this type of privilege can cause an attacker to tamper with the operating system and manipulate the internal security routine, among other things.
In his responses to his accompanying tweets, Lin also mentions that the vulnerability isn’t just limited to phones. Whereas, the general Linux kernel is similarly affected. It also indicates that Android devices with the July Android security updates are also vulnerable to this zero-day vulnerability.
Lane will likely share more about this vulnerability at Black Hat USA 2022, which is set to begin next month. Two other security researchers plan to join him in a dubbed 40-minute briefing. Warning: New exploit method! No poop but as bad as dirty pipe.
The bug has been reported to Google, so now we have to wait for them to sort the bug, set the CVE, test the patch, and then include the patch in a future Android Security Bulletin. This will all take time, so a fix won’t be available for a few months.6 July 2022
Another tweet by Mishaal Rahman, chief technical editor at Esper that addresses this vulnerability, states that the bug has been reported to Google. This means we now need to wait for Google to sort out the problem. Next, set the CVE, test the fix, and integrate the patch into a subsequent Android Security Bulletin when you receive the bug report. This appears to be a time-consuming process; Therefore, a solution will not be available for several months, Rahman suggests.
Meanwhile, Android device owners should be careful before installing random apps other than those eligible through Google Play Protect or completely avoid installing from completely untrusted sources.