Google Project Zero's analysis of a 0-click Pixel 9 exploit chain reveals systemic Android security issues. The team found critical vulnerabilities in Dolby UDC audio codec and BigWave driver within days, exploited them in weeks, and faced delayed patches (139+ days). Key problems include AI features expanding attack surfaces, ineffective kASLR on Pixel devices, missing seccomp policies, and inadequate vulnerability prioritization by vendors. The research highlights that well-resourced attackers can develop 0-click exploits in person-weeks, while fragmented responsibility between codec vendors, OEMs, and Google leaves users vulnerable. Recommendations include rigorous attack surface analysis, comprehensive fuzzing, memory safety mitigations like MTE, faster patch deployment via APEX, and treating all external software as potentially compromised.
Table of contents
Audio Attack SurfaceBug Discovery Time FramesEase of ExploitabilityPatch TimeframePatch PropagationConclusionSort: