Details about a zero-day vulnerbility impacting the Android mobile operating system have been published online, yesterday, September 4.
The vulnerability resides in how the Video for Linux (V4L2) driver that’s included with the Android OS handles input data.
Feeding the driver malicious input can allow an attacker to elevate their access from a lowly user to root access.
The good news is that this vulnerability — categorized as a privilege escalation issue — can’t be exploited remotely. Attackers need local access, meaning they need to plant malicious code on the device beforehand.
This zero-day can’t be used to break into users’ phones, but it can be used to make hacks much worse, by allowing attackers to take full control of a device, post the initial infection.
Zero-day can be easily weaponized
One scenario where this zero-day can come in handy is when malware authors bundle it within malicious apps they distribute via the official Play Store or through third-party app stores.
After the user installs one of these malicious apps, the zero-day can grant the malicious app root access, and the app can then carry out any operations it wants — stealing user data, downloading other apps, etc..
This is how all privilege escalation bugs are normally used on Android devices.
Some security experts might play down the importance of this zero-day — which hasn’t received a CVE number yet — but privilege escalation vulnerabilities are very easy to weaponize on the Android ecosystem, unlike on most other operating systems, where they’re not considered a priority.
For example, nowadays, many malicious Android apps come bundled with the Dirty COW privilege escalation exploit that lets the apps gain root access on older Android smartphones.
Android devs were notified, but failed to deliver a patch
However, despite a history of malicious apps abusing privilege escalation bugs to gain root access, the maintainers of the Android Open Source Project (AOSP) have not patched this one.
They had all the time in the world, since the issue was first reported to AOSP back in March this year, after being discovered by two Trend Micro security researchers. In spite of acknowleding the bug report and promising a patch, the fix never came.
Yesterday, Trend Micro researchers went public with their findings after Google published the September 2019 Android Security Bulletin, which didn’t include a fix for their bug.
For the moment, there’s no easy solution to prevent malicious apps from exploiting this issue.