Google Patches for Critical Android Vulnerabilities
One of the latest and most critical Android vulnerabilities can give an attacker privileges to a user’s device simply by tricking them into opening media files in a browser, according to the latest Nexus Security Bulletin.
An attacker could also execute arbitrary code by sending files to the user via multimedia messages (MMS). This critical vulnerability affects the core part of the operating system that handles media playback, the mediaserver Android component.
This is just one of the five critical Android vulnerabilities (12 total) patched by Google that allow for remote code execution or root access. Google released an over-the-air (OTA) update to Nexus devices, patching for the new vulnerabilities for Android 6.0.1, and will publish patches to the Android Open Source Project (AOSP) repository by Wednesday. Google partner manufacturers received updates last month, and will release updates on their own schedules.
Two similar vulnerabilities were reported last October by mobile security firm Zimperium. Stagefright 2.0 (CVE-2015-6602) affects nearly every Android device since version 1.0, released in 2008. The bugs can allow an attacker to execute arbitrary code on an Android device by exploiting the media processing of metadata within MP3 and MP4 files.
Other critical vulnerabilities include kernel-related issues, including a flaw in misc-sd driver from MediaTek and the Imagination Technologies driver that could enable an app to execute arbitrary code within the kernel.
Yet another kernel-related vulnerability could allow an attacker to gain elevated privileges that are not otherwise accessible to third-party apps.
Another high-severity elevation of privilege vulnerability lies in the Bluetooth component of an Android device. A remote device paired to a device’s Bluetooth could gain access to a user’s private information, including a list of their contacts. Typically, these permissions are only given to third-party apps installed locally, but this vulnerability allows an attacker to access a user’s contacts remotely, without a third-party app.
Last month, Symantec reported on an information-stealing Trojan called Android.Spywaller previously detected as Android.Droidwaller in December. Posing as a “Google Service” app, the spyware uses an embedded copy of a legit security tool in order to compromise other security protection tools used to defend against it.
The malware will attempt to root an affected Android device, while collecting sensitive information in the background. The type of data collected includes call logs, SMS messages, GPS readings, system browser data, emails, images, contacts, and third-party app data.The data is sent to the malware’s backend server, according to Symantec.
To protect against these vulnerabilities, keep your Android devices up-to-date with the latest version available, and only download apps from trusted sources (ideally only from the official Google App Store). Don’t root your devices (known as jailbreaking in iOS), that is, unlocking the OS, as that can expose your device to even more potentially exploitable vulnerabilities.
Deploying an endpoint security solution that inventories, analyzes and detects outdated devices authenticating to your company’s networks and applications can help you identify and remediate out-of-date software and operating systems faster, meaning you can quickly close any security gaps that may exist in your environment.