Pixel, Samsung, LG, Xiaomi and other Android phones are affected by zero-day vulnerability
Google notes that the vulnerability is being exploited now with attacks taking place in the real world making it a true zero-day vulnerability. The company stated that the “exploit requires little or no per-device customization,” which means that it might also be found on a wider range of handsets than those listed above. Google’s Threat Analysis Group says that this is the work of Israel’s NSO Group which has been known to sell surveillance tools and exploits. However, when reached by ZDNet for a comment, the company denied having anything to do with this vulnerability and said, “NSO did not sell and will never sell exploits or vulnerabilities. This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”
“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”-AOSP spokesman
Under Google’s policies, the company had to report this issue to the public within seven days, or when a patch is released (whichever came first). To reiterate, the October security update for the Pixels is due any day.