A newly-discovered bug has left at least 18 widely-sold Android phones open to hackers, including the Samsung S9 and Google Pixel 2 series.
The bug is known as a zero-day vulnerability, meaning that Android-owner Google was blissfully unaware of its existence until about a week ago. What's worse is that the bug is currently being exploited by hackers — including, allegedly, by Israeli cybersecurity NSO Group.
So, which phones are affected by the bug, and is there anything you can do to avoid being hacked?
Android security vulnerability
The security bug is particularly troubling, as it can allow a hacker to completely take over a compromised device. To do so, a user would need to unwittingly download a malicious app – either from the Play store, or an alternative app store; or, a user would need to visit a malicious site in the Chrome browser. The latter is depressingly easy to do when clicking through from a phishing email, for example.
Bugs are regularly detected and patched against, especially on major desktop or mobile operating systems, which are key targets for malicious actors. It's rare that a security bug is actually exploited by a hacker.
However, alarmingly, the report by Google's Project Zero security team suggests, “We have evidence that this bug is being used in the wild”.
The Android security team will be hard at work patching against this vulnerability, so watch out for OS updates in October.
Does the bug affect all Android phones?
Fortunately, not all Android phones are affected by the vulnerability. However, it does affect a range of phones from a variety of major brands — including some popular flagship phones from Samsung, Huawei, and even Google itself.
Here's the list of phones affected, according to Google's Project Zero security team:
- Google Pixel 1 & 1 XL
- Google Pixel 2 & 2 XL
- Huawei P20
- Samsung S7, s8, S9
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- LG phones running Android Oreo
However, this list isn't exhaustive, according to the Project Zero team. So, it's worth making sure that your phone has the latest security updates installed.
Is there anything you can do?
Beyond ensuring your phone has all the latest security updates installed, no.
If you own a Pixel 1 or 2 series phone, you should be getting a fix for the vulnerability in the October Android update. There's no word on fix availability from other brands. It's also worth noting that the later Pixel 3 and 3a series of phones aren't affected.
How to avoid being hacked
There are two ways in which this bug can be exploited:
- If you install a malicious app from the Play Store
- If you visit a malicious site in the Chrome browser, and pair your browser session with your Android phone
Avoiding malicious Google Play apps is fairly easy — before downloading anything from the Play Store make sure it's verified by Google Play Protect.
It's also fairly easy to avoid visiting shady websites — always long press on links to check where they go before clicking them.
Read more of the latest tech news on Tech.co: