The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren’t explained in the post, the patches never made their way into Android security updates. That would explain why earlier Pixel models are vulnerable and later ones are not. The flaw is now tracked as CVE-2019-2215.
Remember NSO?
Stone said that information she received from Google’s Threat Analysis Group indicated the exploit was “allegedly being used or sold by the NSO Group,” a developer of exploits and spyware it sells to various government entities.
In an email sent eight hours after this post went live, NSO representatives wrote: “NSO did not sell and will never sell exploits or vulnerabilities. This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.”
Israel-based NSO gained widespread attention with the discoveries in 2016 and 2017 of an advanced piece of mobile spyware it developed called Pegasus. It jailbreaks or roots both iOS and Android phones so it can trawl through private messages, activate the microphone and camera, and collect all kinds of other sensitive information. Researchers from University of Toronto-based Citizen Lab determined that the iOS version of Pegasus targeted a political dissident located in the United Arab Emirates.
Earlier this year, Citizen Lab uncovered proof that NSO developed an advanced exploit against the WhatsApp messenger that also installed spyware on vulnerable phones, without requiring end users to take any action. An undercover sting targeting Citizen Lab researchers also had a major focus on NSO.
“As an NSO customer, I’d worry that NSO’s notoriety has attracted the kind of heavy scrutiny from security teams and researchers that could lead to my most sensitive espionage operations being disrupted, and exposed,” John Scott-Railton, a senior researcher at Citizen Lab, told Ars.
Project Zero gives developers 90 days to issue a fix before publishing vulnerability reports except in cases of active exploits. The Android vulnerability in this case was published seven days after it was privately reported to the Android team.
While the vulnerability reported on Thursday is serious, vulnerable Android users shouldn’t panic. The chances of being exploited by attacks as expensive and targeted as the one described by Project Zero are extremely slim. Just the same, it may make sense to hold off installing non-essential apps and to use a non-Chrome browser until after the patch is installed.
Post updated at 10/4/2019, 6:22 AM California time to add comment from NSO.