What you need to know
- A security researcher from Northwestern University discovered a new zero-day vulnerability.
- The vulnerability aims to affect the kernel part of Android devices.
- It can allow the attacker to gain arbitrary read and write access to devices like Pixel 6/6 Pro and Galaxy S22 models.
Google is always in the constant process of securing Android by incorporating industry-leading security features to keep the ecosystem safe. That’s one of the primary reasons Android devices frequently get security patches. Google Play protection is one such measure to keep the best Android smartphones from downloading harmful apps.
Despite all such measures taken by Google, we see all kinds of vulnerabilities worldwide in Android or computing systems. A new vulnerability (via XDA Developers) has been discovered by Zhenpeng Lin, a Ph.D. student at Northwestern University who focuses on kernel security.
According to Lin, it’s a zero-day vulnerability in the kernel that could pwn the Google Pixel 6, he suggested in his tweet last week. He further indicates this could also be performed on the Pixel 6 Pro. Not just the Pixel devices but any Android device based on kernel v5.10 can be affected, including devices from the recent Samsung Galaxy S22 series.
The latest Google Pixel 6 pwned with a 0day in kernel! Achieved arbitrary read/write to escalate privilege and disable SELinux without hijacking control flow. The bug also affects Pixel 6 Pro, other Pixels are not affected 🙂 pic.twitter.com/UsOI3ZbN3LJuly 5, 2022
In his tweet, Lin also implied that with the latest vulnerability, an attacker can gain access to arbitrary read and write access and has the ability to disable SELinux. XDA Developers’ report further mentions that this kind of privilege can make the attacker tamper with the operating system and manipulate the built-in security routine, amongst others.
In his accompanying tweet replies, Lin also mentions that vulnerability is not limited to just phones. As the general Linux kernel is affected similarly. He further points out that Android devices with the July Android security updates are also susceptible to this zero-day vulnerability.
Lin will likely share more on this vulnerability at Black Hat USA 2022, which is set to start next month. Two other security researchers plan to join him in a 40-minute briefing dubbed — Cautious: A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe.
The bug was reported to Google, so now we have to wait for them to triage the bug, assign a CVE, test a patch, and then include the patch in a future Android Security Bulletin. This will all take time, so a fix won’t be available for a few months.July 6, 2022
Another tweet post by Esper’s Senior Technical Editor Mishaal Rahman addressing this vulnerability suggests that the bug has been reported to Google. That means we now need to wait for Google to triage the problem. Then, assign a CVE, test a fix, and incorporate the patch in a subsequent Android Security Bulletin when it has received the flaw report. This apparently is a time-consuming process; therefore, a solution will not be accessible for several months, suggests Rahman.
Meanwhile, Android device owners should be careful before installing random apps other than the ones eligible through Google Play Protect or completely avoid installing from untrusted sources altogether.