Google researchers have discovered an unpatched vulnerability on its own Android OS that affect the Pixel 1 and 2, Huawei P20, Samsung Galaxy S7, S8, and S9 and other devices. It disclosed the problem just seven days after finding it, as the exploit is a "zero-day" that is already being exploited in the wild. Oddly, the bug -- which affects Android 8.x and later -- was discovered and patched in December 2017 on earlier versions of the OS. However, the fix was apparently not carried over to newer versions.
The exploit was discovered by Google's Project Zero team, and its Threat Analysis Group believes it was used in real-world attacks by Israel's NSO Group. That company has been implicated in the past in attacks on human rights and political activists.
Google said that the zero-day is not as dangerous as others in the past, as it "requires installation of a malicious application for potential exploitation," said an Android representative. That means it can't be triggered by a web browser or other app without additional exploits already in place.
Google has angered other tech companies in the past by revealing vulnerabilities before they're patched, but at least it's following its own guidelines here. The company said that it notified Android partners and made the patch available for the Android Common Kernel. "Pixel 3 and 3a devices are not vulnerable, while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update," the team added. Other devices affected are the Xioami Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3 and the Moto Z3.