Samsung, Huawei, Xiaomi, OPPO, Google, and other Android devices have been exploited, according to reports, with a vulnerability discovered by Google’s Project Zero.

“Full compromise” of a device is possible, according to an Android spokesperson, if an attacker manages to install a malicious application, or, in a second scenario, succeeds in pairing the attack with a second exploit with the aid of a program, like a web browser.

The exploit was found in the real world, meaning it was recently used or sold by the “NSO Group, an Israeli-based spyware vendor which was most recently behind a piece of spyware that can be injected into a phone via a WhatsApp call”, according to The Verge.

The bug was flagged to Google on September 27, with a seven-day window for Google to fix the problem, or otherwise it would go public. Today, it went public, meaning Google failed to fix the issue at the time of this post.

In an odd twist, the researchers said that the same bug had previously been patched in December 2017, but it appears to have reemerged in subsequent versions of the Android kernel — The Verge

Here’s a non-exhaustive list of devices that are believed to be affected:

  • Pixel 1
  • Pixel 1 XL
  • Pixel 2
  • Pixel 2 XL
  • Huawei P20
  • Xiaomi Redmi 5A
  • Xiaomi Redmi Note 5
  • Xiaomi A1
  • Oppo A3
  • Moto Z3
  • Android Oreo LG phones
  • Samsung Galaxy S7
  • Samsung Galaxy S8
  • Samsung Galaxy S9