While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our e...

Project Zero is Google's security research team dedicated to finding and fixing zero-day vulnerabilities in software and hardware, aiming to improve the security of the broader internet ecosystem. Security researchers can learn about vulnerability research, exploit development, and responsible disclosure practices to contribute to making the internet safer for everyone.

Project Zero

Google Project Zero's analysis of a 0-click Pixel 9 exploit chain reveals systemic Android security issues. The team found critical vulnerabilities in Dolby UDC audio codec and BigWave driver within days, exploited them in weeks, and faced delayed patches (139+ days). Key problems include AI features expanding attack surfaces, ineffective kASLR on Pixel devices, missing seccomp policies, and inadequate vulnerability prioritization by vendors. The research highlights that well-resourced attackers can develop 0-click exploits in person-weeks, while fragmented responsibility between codec vendors, OEMs, and Google leaves users vulnerable. Recommendations include rigorous attack surface analysis, comprehensive fuzzing, memory safety mitigations like MTE, faster patch deployment via APEX, and treating all external software as potentially compromised.

A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?