Google Patches Critical Android RCE Bug

Android malware

Google’s June security bulletin addresses 90+ bugs in Android and Pixel devices.

Google patched more than 90 security vulnerabilities in its Android operating system impacting its Pixel devices and third-party Android handsets, including a critical remote code-execution bug that could allow an attacker to commandeer a targeted vulnerable mobile device.

That bug (CVE-2021-0507) exists in the System component in the Android OS, and could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process, according to Google’s June security bulletin. It’s the most severe bug of those patched so far this June, the company said.

The Android System component of the OS also has a second critical vulnerability, an elevation-of-privilege (EoP) issue tracked as CVE-2021-0516. Further details were not given on that flaw. Typically, Google does not release the technical details of patched vulnerabilities until a overwhelming majority of vulnerable handsets receive the fixes.

Google also addressed several high-severity EoP issues in other components within the OS, including one in Android runtime (CVE-2021-0511) that could enable a local attacker to execute arbitrary code and bypass user interaction requirements in order to gain access to additional permissions.

Media Framework meanwhile has four EoP issues (CVE-2021-0508, CVE-2021-0509, CVE-2021-0510, CVE-2021-0520), the most severe of which could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

Two additional high-severity EoP issues (CVE-2020-14305, CVE-2021-0512) exist in the upstream kernel as well, the most severe vulnerability of which could lead to local escalation of privilege with no additional execution privileges needed.

The internet giant also addressed several high-severity information-disclosure issues for Android, such as one in Framework (CVE-2021-0521) that could lead to local information disclosure of cross-user permissions with no additional execution privileges needed.

Pixel Device Fixes

The bugs in Google’s Pixel devices are mainly rated moderate in severity, including a pair of denial-of-service (DoS) problems in Android runtime (CVE-2020-1971 and CVE-2021-0555), and an RCE issue in Media Framework (CVE-2021-0557).

In all, Pixel has 43 security holes, affecting Android runtime, Framework, Media Framework, System, kernel components and Pixel components (Knowles IAXXX adnc driver and Pixel Launcher).

Only four of them are high-severity. These are: Two EoP issues in Pixel components (CVE-2021-0607 and CVE-2021-0608); an EoP issue in Media Framework (CVE-2021-0565) and another EoP bug in Framework (CVE-2021-0571).

Google didn’t release further details on any of the flaws. The security patch level of 2021-06-05 or later resolves all issues.

Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.

Suggested articles