Attackers are often reported to target mobile devices with 0-click exploits, but limited information is available about how such exploits work on modern Android devices. This talk will explain how Project Zero exploited two vulnerabilities to compromise a Google Pixel 9 remotely, without user interaction. It will then explain how we chained a different privilege escalation vulnerability to exploit the Pixel 10.
The chain starts with a vulnerability in an audio decoder used across the Android ecosystem, and we will describe how we exploited this bug without device feedback. We will then demonstrate how we escaped the mediacodec sandbox and gained kernel access to two different devices. The techniques we'll share are broadly applicable to Android.
Finally, we'll share what we learned: what went right and wrong with Android mitigations, and how mobile device vendors can further protect their devices against these types of attacks.
Natalie Silvanovich leads Google Project Zero. Her current research focus is messaging applications and video conferencing. Outside of work, Natalie enjoys applying her hacking and reverse engineering skills to unusual targets and has spoken at several conferences on the subject of Tamagotchi hacking.
Seth Jenkins is a security researcher at Google Project Zero. He primarily focuses on Linux kernel and Android zero-day research but has dabbled in a variety of architectures, operating systems, and software. He particularly enjoys innovating novel strategies for exploit development.
