Found by the Google Project Zero team. The Google Threat Index confirms that vulnerability has been used in real attacks.
Luckily, this is not the worst Android performance we have ever seen. ZDNet reports say this is not RCE (remote code operation), so user interaction needs to be linked However, each device requires very little on its own, so it needs to work on a number of smartphones.
Currently, the following is a list of affected phones:
- Pika 1 and 2
- Huawei P20
- Xiaomi Redmi 5A, Redmi Note 5, A1
- Oppo A3
- Moto Z3
- Android Oreo LG Phone
- Samsung Galaxy S7, S8, S9
The Google watchdog group believes that the work is the work of ONE Group, an Israeli company known for selling jobs and surveillance equipment. ONE speaker denies access.
Fortunately, this vulnerability was first added in 2017. In the later updates of Android, the vulnerability re-emerged in new areas and slipped under the rug.
A patch is available on Android Core, Android friends have been notified. Pixels 1 and 2 will be available on Android for patch updates this month, but who knows if other buyers will be familiar with pat your thoughts.