It has been reported that attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night. There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customisation to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.
Commenting on this, Jonathan Knudsen, senior security strategist at Synopsys, said “The newly announced Project Zero disclosure involving a vulnerability in the Android kernel illustrates a classic division of labor between development teams and security teams.
“Vulnerabilities will inevitably slip through the cracks if security testing mechanisms aren’t incorporated into the testing phase of software development. Using a secure development life cycle (SDLC), including more and better security testing, means that more vulnerabilities will be located and eliminated before products are released.
“When a downstream security team, an external researcher, or an adversary finds a vulnerability, the best practice is to determine why the vulnerability was not found during development, then improve the process so that any similar vulnerabilities will be detected and eradicated as early in the development process as possible. Over time, the SDLC becomes more and more accurate and lethal to vulnerabilities, resulting in fewer released vulnerabilities and lower risk overall.”