Millions Of Android Phones Are Vulnerable To Israeli Surveillance Dealer Attack, Google Warns
Google issued an alert overnight about a fresh vulnerability affecting hundreds of millions of Android phones, including its own Pixel 1 and 2 devices. According to Google security researcher Maddie Stone, the weakness is actively being used against targets of the Israeli spyware dealer NSO Group.
If you own any of the following phones, your device likely remains vulnerable today as patches are not yet available: the Google Pixel 1 and 2, Huawei P20. Xiaomi Redmi 5A, Xiaomi Redmi Note 5. Xiaomi A1, Moto Z3, Oreo LG phones and the Samsung S7, S8, S9 models. Those are some of the most popular Android phones in existence today. Huawei has shipped over 16 million P20 smartphones around the world, according to the Chinese company’s figures from the end of 2018. (A source told Forbes after publication that the number of affected devices is likely much higher, as those were the only ones that Google had been able to test).
Stone said the underlying issue was fixed in Android back in December 2017, but “the Pixel 2 with most recent security bulletin is still vulnerable based on source code review.” The same is true for all those other Android phones, though Google didn’t explain why the patches didn’t prevent the latest exploits from working. Google also didn’t note why it had attributed the hacks to NSO Group.
A spokesperson for NSO, however, said: ‘NSO did not sell and will never sell exploits or vulnerabilities. This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”
A bug explained and squished (soon)
The problem was defined by Stone as a kernel privilege escalation bug, which means it provided a way for a hacker who’d already found a way onto the device to get deeper access, right into the heart of the Android operating system. Getting control of the kernel allows a hacker to do almost whatever they like on the phone, grabbing much of the data within. Whoever was exploiting the vulnerability would have likely used other bugs, combining them in what’s known as an “exploit chain” to completely own an Android device remotely. That is, after all, what NSO trades in; it’s built a reputation for being able to remotely target and take over smartphones, but its reported sales of this technology to Mexico and the U.A.E. has put it at the center of a storm over privacy and surveillance.
As Stone noted, if the hack was delivered via the Web, it would have required only one other kind of exploit. Just last month, similar attacks were launched in China, as Uighur-focused websites were hacked and used to infect iPhone and Android smartphones that landed on its pages.
“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox,” Stone wrote in a post on Thursday.
Tim Willis, a manager at Google’s Project Zero security research team, noted the issue was rated as “high severity,” adding that a malicious application could also be used to launch an attack via the vulnerability.
A patch for Pixel users is at least on the way. A Google spokesperson added: “Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue.”
Israeli hackers for hire
NSO Group is one of many Israeli startups whose modus operandi is to hack into the world’s most-used operating systems for nation state intelligence and police agencies. On Thursday, Forbes disclosed details on one of the youngest members of that secretive community, Candiru, which one researcher believes is selling to various regimes, including Saudi Arabia, the U.A.E. and Uzbekistan.
These firms have faced a backlash over their authoritarian client book following revelations that their tools were allegedly used to spy and track activists, journalists and human rights lawyers around the world. As Forbes revealed last year, various Saudi activists, some closely associated with murdered journalist Jamal Khashoggi, were targeted by NSO tools. NSO later denied having anything to do with Khashoggi’s death.