Attackers are reportedly exploiting an unpatched vulnerability to take control of Android devices and potentially deliver spyware. The flaw affects phones models from multiple manufacturers including Google, Samsung, Huawei, LG and Xiaomi.The vulnerability is a use-after-free memory condition in the Android Binder component that can result in privilege escalation. The flaw was patched without a CVE identifier in Dec. 2017 in the Linux 4.14 LTS kernel, the Android Open Source Project\u2019s (AOSP) 3.18 kernel, the AOSP 4.4 kernel and AOSP 4.9 kernel.AOSP maintains the reference Android code, but individual device manufacturers, including Google itself, do not use it directly. They maintain separate firmware trees for their devices, which often run different kernel versions. This means every time a vulnerability is fixed in AOSP, device makers have to import the patch and apply it to their customized firmware code; and this particular one appears to have been missed.According to a report by Google Project Zero researcher Maddie Stone, Google\u2019s Pixel 2 with Android 9 and Android 10 preview is vulnerable and so are the Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note 5, Xiaomi A1, Oppo A3, Moto Z3, Samsung S7, S8 and S9, as well as LG phones that run Android Oreo.In a message on Twitter, Stone clarified that those are the devices for which she confirmed the flaw via source code review, but she noted that \u201cmost Android devices pre-Fall 2018 are affected.\u201dLike most privilege escalation issues, this vulnerability can be exploited by a malicious application installed on the device to gain root privileges -- full control of the device. This allows an escape from the application sandbox, which is fundamental to the Android security model. In addition, according to Stone, it can also be targeted directly from the Web if it\u2019s chained with a browser renderer exploit, because the flaw is also accessible through the browser sandbox.The Android project has shared the necessary information with the affected vendors and the patch is already available, so now it\u2019s up to them to integrate it into their firmware and release updates for affected devices. Google plans to fix the issue for Pixel 1 and 2 in this month\u2019s upcoming update. Pixel 3 and 3a are not vulnerable.Evidence of exploitation in the wildWhile investigating the flaw, Stone received technical details from Google's Threat Analysis Group (TAG), as well as external parties about an Android exploit that is \u201callegedly being used or sold by the NSO Group\u201d and whose technical details match this privilege escalation flaw.\u201cI have determined that the bug being used is almost certainly the one in this report as I ruled out other potential candidates by comparing patches,\u201d Stone said.NSO Group is an Israel-based cyber intelligence company that develops surveillance software for use by law enforcement and intelligence agencies. In 2016, researchers from Citizen Lab at the University of Toronto and mobile security firm Lookout reported that NSOs so-called lawful intercept software dubbed Pegasus was used to spy on a human rights activist in the United Arab Emirates. The spyware was deployed at the time using three iOS zero-day exploits that researchers dubbed Trident. More recently, in May, the Financial Times reported that a vulnerability in WhatsApp was being exploited to deliver Pegasus.\u201cNSO did not sell and will never sell exploits or vulnerabilities,\u201d an NSO Group spokesperson told CSO in an emailed statement regarding the new Android exploit. \u201cThis exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.\u201dStone noted in her report that Google Project Zero doesn\u2019t have a sample of the exploit. \u201cWithout samples, we\u00a0have neither been able to confirm the timeline nor the payload,\u201d she said.