In early October, Google’s Project Zero warned of a vulnerability in some Android devices, which according to the release is already actively exploited by customers of the questionable NSO Group. Google has already known the underlying gap for a year and a half and has even fixed it. Only: In their own devices and those of many partners, the important bug fix has never arrived. This is not an embarrassing mistake, but a mistake with an announcement.
Ironically, Google’s Project Zero is designed to make things as difficult as possible for companies like the NSO Group. The team is looking for particularly critical vulnerabilities in the software of other companies, but also in their own products. This should make trading in such exploits as unattractive as possible. In the present case, but that did not work and Google takes here rather a sad observer role. The company has reacted against better knowledge only when it was already too late. Because of the gap in his devices, Google has only closed after it was actively exploited for attacks, although that could have happened much sooner.
Submitted by: Arnfried Walbrecht