Android security has come a long way in recent years. Promoting monthly security patches has kept hundreds of threats at bay, while Google Play Protect is there to ban malware from the Play Store. However, there are still instances where rogue actors can exploit hidden vulnerabilities in Android’s code for nefarious purposes. Zhenpeng Lin, a security researcher and PhD student at Northwestern University, recently discovered such a vulnerability in Google Pixel 6, and you may be at risk even after installing the latest July 2022 security update.
The vulnerability in question affects the kernel part of Android, allowing the attacker to gain arbitrary read and write access, root privileges, and the authority to disable SELinux. With this kind of privilege escalation, a malicious actor could tamper with the operating system, manipulate built-in security routines, and do much more harm.
The latest Google Pixel 6 pwned with a 0day in the core! Obtained arbitrary read/write to elevate privileges and disable SELinux without hijacking control flow. The bug also affects Pixel 6 Pro, other Pixels are not affected 🙂 pic.twitter.com/UsOI3ZbN3L
— Zhenpeng Lin (@Markak_) July 5, 2022
While Lin demonstrated the exploit on the Google Pixel 6, a handful of current-gen Android devices are susceptible to this particular zero-day threat, including the Google Pixel 6 Pro and the Samsung Galaxy S22 family. Indeed, the vulnerability in question affects all Android devices running Linux kernel version 5.10. The standard Linux kernel is also affected, according to Lin.
Notably, precise details of the vulnerability have not been made public. Lin, however, is set to appear in Black Hat USA 2022 along with two other Researchers named Yuhang Wu and Xinyu Xing. According to the brief of their presentation — “Cautious: a new method of exploitation! No pipe but as bad as Dirty Pipe” – the attack vector is essentially a generalized, but more powerful version of the infamous Dirty Pipe vulnerability. Additionally, it can be extended to allow container escaping on Linux as well.
Although Google has already been notified, we have yet to see a public CVE benchmark for the vulnerability. Given how Google’s security patches work, we might not see this issue fixed until the September patch rolls out. The good news is that it is not an RCE (remote code execution) that can be exploited without user interaction. In our opinion, it may be a good idea to suspend the installation of random apps from untrusted sources until the patch is installed.