Gong is the first to report an Android exploit chain after Google introduced bigger cash rewards for finding bugs. He reported the bugs to the Android security team back in August 2017, and the fix was released as a part of the December security update. So, the affected devices with security patch level of 2017-12-05 are safe from the exploit.
The two vulnerabilities when combined can allow an attacker to remotely inject arbitrary code into a Pixel device’s system_server process by making the user visit a crafted link. According to Guang, an example of the vulnerable environment to reproduce the exploit could be Pixel running Chrome 60.3112.107 and Android 7.1.2 (security patch level 2017-08-05).
Pixel phones are considered to the safest in the market. But this is not the first time Gong has exposed Google’s Pixel in the wild. At Pwn2Own 2016, his Qihoo 360 Alpha team won a cash prize of $120,000 for taking down a Pixel in just 60 seconds. However, there wasn’t a hacker team which managed to embarrass Pixel at Pwn2Own 2017 contest.
You can find more details about the Pixel remote exploit chain using this link.