A post from the Chocolate Factory's in-house Project Zero crew outlines the flaw, a use-after-free bug in the Android Binder driver that could be exploited by a local app to elevate privileges, The Register reported.
In fact, strike the "could" because Google bug-hunters say the flaw is already being targeted in the wild by criminals to compromise some Android devices, including the Pixel 2, Samsung S7-S9, Moto Z3, and Huawei P20, among others.
While the flaw in question is unpatched in the Android kernel, the underlying use-after-free issue has been known for years and was patched. In the more recent versions of Android, however, it re-emerged. There is currently no CVE number associated with the flaw.
"This issue was patched in Dec 2017 in the 4.14 LTS kernel, AOSP Android 3.18 kernel , AOSP Android 4.4 kernel , and AOSP Android 4.9 kernel," notes Project Zero's Maddie Stone, "but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review."
As the vulnerability must be exploited locally, users and admins will go a long way towards protecting themselves by making sure they do not download any apps from untrusted sources and keep their systems updated to block against other flaws that could be chained with this bug to create remote attacks.