• Security researchers have announced details about a high-severity, zero-day vulnerability that affects the Android mobile operating system.
  • This vulnerability can allow attackers to take full control when they have local access to the compromised device.

A high-severity, zero-day security vulnerability for Android OS, which resides in the Video for Linux 2 (v4l2) driver has been disclosed. To exploit this vulnerability, attackers first needs to have local access to the device, following which they can take complete control of the device.

What is the matter?

  • This vulnerability exists in the driver of v4l2, an application used for video recording.
  • When attackers have access to execute low-privileged code on a device, they can exploit this vulnerability to escalate their privileges.
  • Once attackers have the required privileges, they can run malicious applications and take over the entire device.
  • Zero Day Initiative (ZDI) has calculated the severity of this bug to be 7.8 out of 10.

This vulnerability doesn’t help hackers break into users’ phones or attack remotely. Local access is required to inject malicious code, which can then be used to hijack the device.

No ETA for security patch

Lance Jiang and Moony Li of TrendMicro Research first reported this vulnerability to Google in March. Google acknowledged it and promised a fix, but no ETA was provided.

After Google released its September 2019 Android Security Bulletin, which did not include a fix for this vulnerability, researchers from TrendMicro went public with the details.

Worth noting

With no security fix from Google, it is up to the Android users to keep their devices safe from attacks. It is highly recommended that users install applications only from verified sources.

Brian Gorenc, from TrendMicro’s ZDI program, told BleepingComputer, “They should only load known-good apps directly from the Google Play store and avoid side-loading apps from third parties.”

Cyware Publisher