Latest News Latest News

New Android Malware Steals Banking Passwords, Private Data and Keystrokes

NA new type of mobile banking malware has been discovered abusing Android's accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes.

Read More...

Microsoft Issues Patches for 4 Bugs Exploited as Zero-Day in the Wild

It's April 2020 Patch Tuesday, and during these challenging times of coronavirus pandemic, this month's patch management process would not go easy for many organizations where most of the resources are working remotely.

Read More...

New Zoom Hack Lets Hackers Compromise Windows and Its Login Password

Zoom has been there for nine years, but the immediate requirement of an easy-to-use video conferencing app during the coronavirus pandemic overnight made it one of the most favorite communication tool for millions of people around the globe.

Read More...

Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions

Microsoft today issued a new security advisory warning billions of Windows users of two new critical, unpatched zero-day vulnerabilities that could let hackers remotely take complete control over targeted computers.

Read More...

New Android Cookie-Stealing Malware Found Hijacking Facebook Accounts

A new simple but dangerous strain of Android malware has been found in the wild that steals users' authentication cookies from the web browsing and other apps, including Chrome and Facebook, installed on the compromised devices.

Read More...

Warning — Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed

Shortly after releasing its monthly batch of security updates, Microsoft late yesterday separately issued an advisory warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting Server Message Block 3.0 (SMBv3) network communication protocol.

Read More...

Microsoft Issues March 2020 Updates to Patch 115 Security Flaws

Microsoft today released security updates to fix a total of 115 new security vulnerabilities in various versions of its Windows operating system and related software—making March 2020 edition the biggest ever Patch Tuesday in the company's history.

Read More...

Critical PPP Daemon Flaw Opens Most Linux Systems to Remote Hackers

The US-CERT today issued advisory warning users of a new dangerous 17-year-old remote code execution vulnerability affecting the PPP daemon (pppd) software that comes installed on almost all Linux based operating systems, as well as powers the firmware of many other networking devices.

Read More...

GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat

If your web server is running on Apache Tomcat, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it.

Read More...

New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices

Cyber security researchers today uncovered a new high-severity hardware vulnerability residing in the widely-used Wi-Fi chips manufactured by Broadcom and Cypress—apparently powering over a billion devices, including smartphones, tablets, laptops, routers, and IoT gadgets.

Read More...

Most Viewed News Most Viewed News

Back

New 0-Day Flaw Affecting Most Android Phones Being Exploited in the Wild

Another day, another revelation of a critical unpatched zero-day vulnerability, this time in the world's most widely used mobile operating system, Android.

What's more? The Android zero-day vulnerability has also been found to be exploited in the wild by the Israeli surveillance vendor NSO Group—infamous for selling zero-day exploits to governments—or one of its customers, to gain control of their targets' Android devices.

Discovered by Project Zero researcher Maddie Stone, the details and a proof-of-concept exploit for the high-severity security vulnerability, tracked as CVE-2019-2215, has been made public today—just seven days after reporting it to the Android security team.

The zero-day is a use-after-free vulnerability in the Android kernel's binder driver that can allow a local privileged attacker or an app to escalate their privileges to gain root access to a vulnerable device and potentially take full remote control of the device.

Vulnerable Android Devices

The vulnerability resides in versions of Android kernel released before April last year, a patch for which was included in the 4.14 LTS Linux kernel released in December 2017 but was only incorporated in AOSP Android kernel versions 3.18, 4.4 and 4.9.

Therefore, most Android devices manufactured and sold by a majority of vendors with the unpatched kernel are still vulnerable to this vulnerability even after having the latest Android updates, including below-listed popular smartphone models :

Pixel 1

Pixel 1 XL

Pixel 2

Pixel 2 XL

Huawei P20

Xiaomi Redmi 5A

Xiaomi Redmi Note 5

Xiaomi A1

Oppo A3

Moto Z3

Oreo LG phones

Samsung S7

Samsung S8

Samsung S9

To be noted, Pixel 3, 3 XL, and 3a devices running the latest Android kernels are not vulnerable to the issue.

Android Flaw Can Be Exploited Remotely

According to the researcher, since the issue is "accessible from inside the Chrome sandbox," the Android kernel zero-day vulnerability can also be exploited remotely by combining it with a separate Chrome rendering flaw.

"The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox," Stone says in the Chromium blog.

"I've attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when running locally. It only requires the untrusted app code execution to exploit CVE-2019-2215. I've also attached a screenshot (success.png) of the POC running on a Pixel 2, running Android 10 with security patch level September 2019."

Patches to be Made Available Soon

Though Google will release a patch for this vulnerability in its October's Android Security Bulletin in the coming days and also notified OEMs, most affected devices would not likely receive the patch immediately, unlike Google Pixel 1 and 2.

"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit," the Android security team said in a statement.

"We have notified Android partners, and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update."

Google's Project Zero division usually gives software developers a 90-day deadline to fix the issue in their affected products before going public with the details and PoC exploits, but in case of active exploits, the team goes public after seven days of privately being reported.

What's your take? Although this vulnerability is severe and can be used to gain root access to an Android device, users need not worry that much as the exploitation of such issues is mostly limited to targeted attack scenarios.

Nevertheless, it's always a good idea to avoid downloading and installing apps from third-party app stores and any unnecessary apps, even from the Google Play Store.


Contact Us Contact Us

Free Call[OH]: 933

Phone Number: +251-900-89-64-48,

                            +251-944-33-68-02

E-mail: ethiocert@insa.gov.et

P.O.Box: 124498

Download PGP Keys


Report an Incident

Values Values

  • Trustworthiness
  • Innovation
  • Scientific
  • Democracy
  • Synergy
  • Saving