Having been notified back in March, Google has yet to patch a 0-day vulnerability that allows for privilege escalation attacks. TrendMicro researchers in collaboration with the Zero
Day Initiative went public on September 4th, 2019. In order to exploit this vulnerability, attackers must first obtain the ability to execute high-privileged code and would need local access to the Android device. Local access can come in the form of an application maliciously requesting odd permissions – all the more reason to not eagerly grant permissions for just any app.
The vulnerability was found within the Video for Linux 2 (v4l2) driver. This is a device driver API that supports real-time video capturing. How the vulnerability is exploited is by not validating an input objects existence prior to operating on it. Failure to do so allows attackers to escalate privileges using the kernel’s context. Let’s put it this way: obtaining the ability to do anything as the kernel basically allows unrestricted access to a device. I previously wrote about the different layers of a computer system that expands on this subject.
Per the disclosure, the mitigation technique is, “…to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.” On that same note, ensure you only install apps from the Google Play Store and that you’re on the lookout for odd permission requests.