According to Google Project Zero member Maddie Stone, there is evidence that the exploit is being used in the wild, which is why it has de-restricted the bug seven days after reporting it to Android.
The bug affects at least 18 Android smartphones, including the following:
Pixel 1
Pixel 1 XL
Pixel 2
Pixel 2 XL
Huawei P20
Xiaomi Redmi 5A
Xiaomi Redmi Note 5
Xiaomi A1
Oppo A3
Moto Z3
Oreo LG phones
Samsung S7
Samsung S8
Samsung S9
"The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device," explained Stone.
"If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox."
Android released a statement highlighting that the issue is "high" in severity.
"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit."
"We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update."
It s not certain when the exploit will be patched on non-Pixel devices.