Google has patched some serious bugs in Android, including a couple of critical flaws that could let hackers run their own code on the mobile operating system (OS).

As with many new patch releases, the details about one of the most critical vulnerabilities, CVE-2020-0022, are not yet public. However, what Google does tell us in its February 2020 advisory is that it lies in the system component of Android, which contains the system apps that ship with the OS.

It’s a remote code execution bug in the context of a privileged process, giving the attacker a high level of access to the operating system, and it applies to versions 8.0, 8.1, and 9 of the Android Open-Source Project (AOSP), on which the various phone implementations of Android are based. It also looks like there’s another, less dangerous, vulnerability associated with this bug, which renders a phone subject to a denial of service (DoS) attack.

The other critical-ranked bug is CVE-2020-0023, this is an information disclosure vulnerability and applies to version 10 of the AOSP.

Overall, there are 25 bugs. Aside from six in Android’s system component, there are seven in the Android Framework, which contains the Java APIs for the OS. All the Framework bugs are ranked high, with some extending back to version 8.0 of the AOSP. The worst one could enable a malicious application to gain extra privileges by bypassing use interaction requirements, the developers said.

There were just two bugs at the kernel level, both rated high and both leading to escalation of privileges. An attacker using one of these bugs could execute arbitrary code in the context of a privileged process, the advisory said.

Finally, there were two sets of bugs relating to Qualcomm components. The first set involved open-source components. There were six bugs here, rated high, spanning the camera, the kernel, the audio subsystem, and the graphics. The second set involved closed-source components from Qualcomm. All four of those bugs were rated high, and Qualcomm provided a separate advisory for them.

The Android security bulletin contains two patch levels. The Framework and system groups fall under patch level 2020-02-01, while the kernel and Qualcomm patches are grouped under 2020-02-05. Google did this so that OEMs could fix a subset of vulnerabilities that were similar across all Android devices more quickly, it said in the advisory. However, device vendors really should patch the lot, it warned.

What to do

So, when can Android users get these patches?

Users of Google’s Pixel phones are likely to get them first. The company has already issued factory images and over the air (OTA) updates for phones going back to and including the Pixel 2, for which support ends this October. Users of other companies’ Android products should wait until they fold the patches into their own Android implementations.

Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner