Google’s monthly Android security fixes are normally just for Google devices, but Samsung, Motorola, LG, Oppo, Huawei and Xiaomi are all rolling out their own versions of the October 2019 security update to patch a major zero-day security vulnerability present on several Android smartphones. Those with vulnerable phones should make sure they download the patch as soon as it’s available sometime in the next few days.
Researchers at Google have discovered a new zero-day exploit in Android that has the potential to infect millions of devices. The vulnerability is located in the kernel of the OS and has already been used by bad actors in the wild. Here are the phones known to be affected, including models from Google, Samsung and Huawei.
The bug — which shows up in the security patch notes as CVE-2019-2215 — allows a hacker to remotely root and take complete control of a device, though it requires the victim to install an infected app first (or the hacker uses the exploit in conjunction with a Chrome-based loophole to deploy the attack).
The exploit is present on the following phones, though Google’s Project Zero cautions that other handsets could be affected as well:
Google Pixel, Pixel XL, Pixel 2 and 2 XL
Samsung Galaxy S7, S8 and S9
LG models running Android Oreo
Motorola Moto Z3
Xiaomi A1, Redmi 5A, and Redmi Note 5
Google will start rolling out the October 2019 security patch Tuesday, and other manufacturers will likely have their own version live within the next few days. Keep an eye out for automatic update notifications, or check for the patch yourself by going to your phone’s Settings app and searching for “System Update.” (The exact pathway will differ depending on your device and version of Android.)
Google Project Zero reports that the bug has been successfully exploited, which raises some big questions regarding who is using it and why. The exploit itself was created by the Israeli online security firm NSO, who denies that it or any of its clients — which mostly consists of government groups and national security organisations — are actively using the exploit.
While it’s unlikely average Android users will be targeted by whoever is exploiting the bug, it’s severe enough that everyone should install the October 2019 security update once it’s available on their specific device, and those using any of the smartphones listed above should take extra care in the meantime.
If you’re interested in reading more about the bug and how it works, check out Ars Technica’s full report.