Vulnerable devices are also varying in age. They range from the first two Pixel phones and their XL variants, to last year’s flagships like the Huawei P20 and the Samsung Galaxy S9. Google will be patching the vulnerability as part of the October security update, which has already been made available to other brands.
The exploit works in two ways. One is, as you’d expect, though the installation of untrusted apps. The other is a little odd, as it relies on another vulnerability in the Chrome browser’s code. So it may be a good idea to use another browser on your mobile device for the time being. Reports indicate that the vulnerability has already been exploited by Israel-based NSO Group. Representatives from NSO have denied having anything to do with this particular vulnerability. (Source: Project Zero via Ars Technica)