The zero-day was discovered at the start of this month by Google Project Zero security researchers. At the time, Google said the zero-day was being actively exploited in the wild.
When it disclosed the zero-day (tracked as CVE-2019-2215), Google security researcher Maddie Stone also published proof-of-concept (PoC) code, but her code only granted read/write access to the kernel.
To weaponize her PoC, an attacker would still need to find a way to bypass the many other security protections available at the Android kernel level.
Named Qu1ckR00t, the PoC can bypass DAC (Discretionary Access Control) and Linux Capabilities (CAP), and can disable SELinux (Security-Enhanced Linux), SECCOMP (Secure Computing Mode), and MAC (Mandatory Access Control).
The end result is a more intrusive PoC that can be used to root an Android device, giving a user/attacker full control of the device.
The code has been released on GitHub in its source code form, and not as an already-packaged APK file (the format of an Android app). Users will have to compile it themselves, but when compiled, they will have access to an app that can root an Android smartphone with one click.
Hernandez said he only tested Qu1ckR00t with Pixel 2 handsets, and warns non-experienced users from playing with the code, as they risk bricking their OS and losing data.
The downside to releasing a tool like Qu1ckR00t is that malware authors can now study the code too. This improved PoC can be embedded inside malicious apps to allow Android spyware, trojans, or ransomware to get root access to the devices they infect.
To avoid any issues, users are advised to install necessary patches. Google has patched CVE-2019-2215 in the Android October 2019 security bulletin (security patch level 2019-10-06).
Google said the CVE-2019-2215 zero-day impacted smartphone models from different vendors, such as:
Pixel 2 with Android 9 and Android 10 preview
Xiaomi Redmi 5A
Xiaomi Redmi Note 5
Oreo LG phones
Samsung S7, S8, S9
Only devices running Android 8.x and later are vulnerable.
Teracube Android smartphone first look: in pictures