Google has issued a security alert, warning millions of Android phone users about a vulnerability that the NSO Group is already exploiting. The NSO Group is the notorious Israeli tech firm that produces surveillance tools, targeting iOS and Android devices. These sophisticated spyware tools exploit zero-day flaws that are undisclosed and unreported, enabling the companies to sell their services to other entities for a very high price. We recently saw a revelation connecting the U.S. Drug Enforcement Administration with the NSO Group, while in the past, we have discussed the company’s ties with Middle Eastern and other oppressive regimes.
This latest revelation concerns a vulnerability that affects the following models:
With some of the above being among the most popular Android phones in existence, we’re talking about millions and millions of users being affected. The particular vulnerability has already been fixed since the December 2017 Android security update, but for an undisclosed reason, the security review on the above models shows that the exploit is still working.
The problem seems to be a kernel privilege escalation bug, allowing an attacker to gain system-level access. This opens the way to data exfiltration, spying, activating microphones and cameras, and leverage anything that a phone can do really. As a spokesperson of Google commented on a Project-Zero board, the exploit could be delivered via the web, and only needs to be paired with a renderer flaw in order to work. A locally installed application can also be used for the same purpose, but this would be a harder path for the attackers to take. The issue was categorized by Google’s researchers in the “high severity” level, as expected.
The reason why Google accuses NSO specifically remains unknown. Obviously, they have evidence in the hands, but they chose not to provide any more details about this either. There could be some connection with the recently disclosed Uyghur and Tibetan targeting operation, but this is just speculation at this point. Since the team had evidence that the bug is being exploited in the wild, the disclosure came seven days after its discovery, with a fixing patch nowhere to be seen yet.
What is your platform of choice for security? Android or iOS? Let us know where you stand in the comments below, or on our socials, on Facebook and Twitter.