Experts On Attackers Exploit Zero-Day Vulnerability That Gives Full Control Of Android Phones

It has been reported that attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night. There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customisation to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

 

Experts Comments

October 07, 2019
Jonathan Knudsen
Senior Security Strategist
Synopsys
The newly announced Project Zero disclosure involving a vulnerability in the Android kernel illustrates a classic division of labor between development teams and security teams. Vulnerabilities will inevitably slip through the cracks if security testing mechanisms aren’t incorporated into the testing phase of software development. Using a secure development life cycle (SDLC), including more and better security testing, means that more vulnerabilities will be located and eliminated before.....Read More
The newly announced Project Zero disclosure involving a vulnerability in the Android kernel illustrates a classic division of labor between development teams and security teams. Vulnerabilities will inevitably slip through the cracks if security testing mechanisms aren’t incorporated into the testing phase of software development. Using a secure development life cycle (SDLC), including more and better security testing, means that more vulnerabilities will be located and eliminated before products are released. When a downstream security team, an external researcher, or an adversary finds a vulnerability, the best practice is to determine why the vulnerability was not found during development, then improve the process so that any similar vulnerabilities will be detected and eradicated as early in the development process as possible. Over time, the SDLC becomes more and more accurate and lethal to vulnerabilities, resulting in fewer released vulnerabilities and lower risk overall.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.