Experts On Attackers Exploit Zero-Day Vulnerability That Gives Full Control Of Android Phones

By   ISBuzz Team
Writer , Information Security Buzz | Oct 07, 2019 03:21 am PST

It has been reported that attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night. There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customisation to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

 

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
October 7, 2019 11:23 am

The newly announced Project Zero disclosure involving a vulnerability in the Android kernel illustrates a classic division of labor between development teams and security teams.

Vulnerabilities will inevitably slip through the cracks if security testing mechanisms aren’t incorporated into the testing phase of software development. Using a secure development life cycle (SDLC), including more and better security testing, means that more vulnerabilities will be located and eliminated before products are released.

When a downstream security team, an external researcher, or an adversary finds a vulnerability, the best practice is to determine why the vulnerability was not found during development, then improve the process so that any similar vulnerabilities will be detected and eradicated as early in the development process as possible. Over time, the SDLC becomes more and more accurate and lethal to vulnerabilities, resulting in fewer released vulnerabilities and lower risk overall.

Last edited 4 years ago by Jonathan Knudsen

Recent Posts

1
0
Would love your thoughts, please comment.x
()
x