The spyware vendor alleged to have sold the Pegasus malware used to track associates of murdered Saudi journalist Jamal Khashoggi has been implicated in the trading of an Android vulnerability that can be exploited to gain full control over popular late-model smartphones.
Google's Project Zero security team discovered the bug on September 27 and disclosed it to the company's Android developers.
Exploitable in the Chrome browser's renderer process, the bug in the Android Binder driver is a use-after-free vulnerability that allows kernel privilege escalation.
When delivered through a website, the vulnerability only needs to be paired with a renderer exploit to allow for full compromise of devices susceptible to it.
Controversial Israeli spyware vendor NSO Group is believed to be exploiting the bug, Google said. NSO Group denied it had any involvement in a media statement.
"The bug was allegedly being used or sold by the NSO Group," Google senior security engineer Maddie Stone wrote.
Due to this, Project Zero gave the Android team a very short period of time to come up with a patch before going public.
*We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a seven-day disclosure deadline," Stone added.
Project Zero does not have samples of the exploit. The security researchers were able to code a proof-of-concept that confirmed the vulnerability.
Stone said the bug was patched in December 2017, but Google's Pixel 2 and 2XL smartphones with the most recent security bulletin are still vulnerable to the flaw, a source code review found.
Google's Pixel 1, 1XL are also vulnerable, but not Pixel 3 and 3A.
Popular recent devices such as Samsung Galaxy 7, 8, 9, Huawei P20, Xiaomi Redmi A1, 5A and Note 5, Motorola Z3, Oppo A3 and Oreal LG phones are believed to be vulnerable to exploit, based on Project Zero's source code review.
Google's Android team has now released a patch for the vulnerability.
"This issue is rated as high severity on Android and by itself requires installation of a malicious application for potential exploitation.
"Any other vectors, such as via web browser, require chaining with an additional exploit.
"We have notified Android partners and the patch is available on the Android Common Kernel," the developers said.