Google has patched some serious bugs in Android, including a couple of critical flaws that could let hackers run their own code on the mobile operating system (OS).
As with many new patch releases, the details about one of the most critical vulnerabilities, CVE-2020-0022, are not yet public. However, what Google does tell us in its February 2020 advisory is that it lies in the system component of Android, which contains the system apps that ship with the OS.
It’s a remote code execution bug in the context of a privileged process, giving the attacker a high level of access to the operating system, and it applies to versions 8.0, 8.1, and 9 of the Android Open-Source Project (AOSP), on which the various phone implementations of Android are based. It also looks like there’s another, less dangerous, vulnerability associated with this bug, which renders a phone subject to a denial of service (DoS) attack.
The other critical-ranked bug is CVE-2020-0023, this is an information disclosure vulnerability and applies to version 10 of the AOSP.
Overall, there are 25 bugs. Aside from six in Android’s system component, there are seven in the Android Framework, which contains the Java APIs for the OS. All the Framework bugs are ranked high, with some extending back to version 8.0 of the AOSP. The worst one could enable a malicious application to gain extra privileges by bypassing use interaction requirements, the developers said.
There were just two bugs at the kernel level, both rated high and both leading to escalation of privileges. An attacker using one of these bugs could execute arbitrary code in the context of a privileged process, the advisory said.
Finally, there were two sets of bugs relating to Qualcomm components. The first set involved open-source components. There were six bugs here, rated high, spanning the camera, the kernel, the audio subsystem, and the graphics. The second set involved closed-source components from Qualcomm. All four of those bugs were rated high, and Qualcomm provided a separate advisory for them.
The Android security bulletin contains two patch levels. The Framework and system groups fall under patch level 2020-02-01, while the kernel and Qualcomm patches are grouped under 2020-02-05. Google did this so that OEMs could fix a subset of vulnerabilities that were similar across all Android devices more quickly, it said in the advisory. However, device vendors really should patch the lot, it warned.
What to do
So, when can Android users get these patches?
Users of Google’s Pixel phones are likely to get them first. The company has already issued factory images and over the air (OTA) updates for phones going back to and including the Pixel 2, for which support ends this October. Users of other companies’ Android products should wait until they fold the patches into their own Android implementations.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
6 comments on “Critical Android flaws patched in February bulletin”
Any estimate of the number of Android devices out there that are unable to up date and what the consequent cumulative number of unpatched bugs loose in the environment is? (Σ all devices: every unpatched bug)?
Just updated my Essential PH-1. The nice thing about this product is that they continue to provide updates as soon as they are issued.
It was good while it last. They are off now.
I really need to upgrade my phone or flash it myself to a newer version.. Hasn’t been patched since November last year.. :/
With all these android vulnerabilities you’d expect to see mass pwnage of mobile devices. Yet we don’t. They can’t all be running antivirus…
Main problem is down to the big manufacturers getting away with only 2 years of updates ( if you’re lucky) from date of release. Shouldnt have to install LineageOS, etc just to get updates on an otherwise perfectly fine mobile.