security researchers said Thursday that they have found a new Android exploit that lets hackers take over a person's phone. The Project Zero team discovered the vulnerability in late September. They've already seen evidence of the exploit being used in the real world before it could be patched, making it what's known as a zero-day vulnerability.
The exploit is in Android's operating system kernel code and, if abused, hackers could get root access to a victim's phone. The vulnerability, however, requires action from users -- such as downloading malicious software -- before a hacker can takeover a phone. It can also be combined with a second exploit that targets the Chrome browser for a web-based attack. This means phone owners should stay aware of what they're downloading and the websites they visit.
Project Zero, a team dedicated to finding security bugs, gave a "non-exhaustive" list of which phone models running Android 8 or later could be affected by this exploit:
This exploit is listed as "high severity" and might affect even more phones than listed. Google is working to address the problem.
"Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming day," a Google spokesperson said in an email Friday. "Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue."
According to Project Zero, Israeli-based cyberintelligence firm NSO Group is already using or selling this exploit, but the firm denies that claim.
"NSO did not sell and will never sell exploits or vulnerabilities," an NSO Group spokesperson said Friday. "This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives."