The exploit was discovered by Google's Project Zero team, and its Threat Analysis Group believes it was used in real-world attacks by Israel's NSO Group. That company has been implicated in the past in attacks on human rights and political activists.
Google said that the zero-day is not as dangerous as others in the past, as it "requires installation of a malicious application for potential exploitation," said an Android representative. That means it can't be triggered by a web browser or other app without additional exploits already in place.
Google has angered other tech companies in the past by revealing vulnerabilities before they're patched, but at least it's following its own guidelines here. The company said that it notified Android partners and made the patch available for the Android Common Kernel. "Pixel 3 and 3a devices are not vulnerable, while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update," the team added. Other devices affected are the Xioami Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3 and the Moto Z3.