Android security updates normally include two parts: general updates that affects most users and the updates affecting specific partners, such as hardware partners like NVIDIA, Broadcom and Qualcomm. Here we’ve summarized the general security updates on the Android Security bulletin from Security Patch level 2017-02-05.
- 4 Remote Code Execution Vulnerabilities: These types of vulnerabilities allow attackers to execute arbitrary codes on user devices. Two of the discovered vulnerabilities are considered critical, since they cause memory corruptions in privileged processes, while the other two are considered high severity, since they cause arbitrary code execution in unprivileged processes. The vulnerabilities are found in Surfaceflinger, Mediaserver, libgdx and libstagefright.
- 5 Privilege Escalation Vulnerabilities: This type of vulnerability allows unprivileged processes, such as from third-party apps, to escalate privileges to the system-level bypassing the sandbox restrictions. Four of these privilege escalation vulnerabilities are rated as high impact, while the remaining one is rated as medium impact. These vulnerabilities are found in Java.Net, Framework APIs, Mediaserver, Audioserver and Bluetooth.
- 6 Information Disclosure Vulnerabilities: These vulnerabilities allow malicious apps to access user data. Three are rated as high impact and three as medium impact. The vulnerabilities are found in in AOSP Mail, AOSP Messaging, Audioserver, Filesystem and framework APIs
- 1 denial of service vulnerability in Bionic DN: As this vulnerability allows attacker to reboot or hang user devices remotely, it is rated as high impact.
Google advises users to update their device OS to the most updated version. Google also suggests that users should not be worried, since the apps on Google Play Store are scanned by VerifyApps, a cloud-based in-house malicious app detection tool and SafetyNet, an API for developers to test their apps for security vulnerabilities.
However, Appthority would like to warn users that VerifyApps and SafetyNet only cover application-level security. They do not discover or fix new platform-level security vulnerabilities. These can only be fixed after users update their OSes. Therefore, Appthority urges users to update their devices with the latest OS version. We also recommend enterprise IT admins set strong policies against keeping outdated OS versions on their employee’s mobile devices.
Among all the vulnerabilities discovered, nine were discovered by C0re team, which is focused on finding systematic ways of detecting zero-day vulnerabilities on the Android platform. The other six were discovered by Google Internal teams. Appthority would like to applaud them and the rest of the contributors for responsibly reporting and helping Google fix these platform vulnerabilities.