Among Google’s November Android security updates is a patch for a zero-day weakness that “may be under limited, targeted exploitation,” the company said.
Out of this month’s batch of 39 patches, 18 of them plug flaws in the framework and system components and another 18 address vulnerabilities in the kernel and vendor components.
Use-After-Free Flaw in the Kernel
Google described the one that attackers may be picking apart – CVE-2021-1048 – as caused by a use-after-free (UAF) vulnerability in the kernel. UAF bugs allow for code substitution by using a dangling pointer in dynamic memory. In this case, it can be exploited for local escalation of privilege and, when paired with a remote code execution (RCE) bug, an exploit could allow attackers to gain administrative control over a targeted system.
The internet titan kept its lips zipped about the specifics of the attacks exploiting CVE-2021-1048, but the fact that they’re targeted raises the possibility of nation-state advanced persistent threat (APT) groups carrying them out for espionage.
There’s precedent for that: Earlier this year, Android devices were targeted in an espionage campaign that adapted the LodaRAT – known for targeting Windows devices – to also go after Android devices in a campaign that targeted Bangladesh.
Most Severe Issues
The most severe of the updates address two critical remote code execution (RCE) vulnerabilities – tracked as CVE-2021-0918 and CVE-2021-0930 – in the System component. The flaws could enable a remote attacker to execute arbitrary code within the context of a privileged process by sending a specially crafted transmission to targeted devices.
“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” according to the security update.
There are two more critical security flaws addressed in this month’s patches: CVE-2021-1924 and CVE-2021-1975, both of which affect Qualcomm components.
Yet another critical flaw can be found in Android TV remote service – which allows Android phones or tablets to be used as a remote for an Android TV. This one’s another RCE, tracked as CVE-2021-0889. A nearby attacker who manages to exploit CVE-2021-0889 could creep up, silently pair with a TV, and execute arbitrary code with no privileges or user interaction required.
Another 29 bugs are rated as high-severity, with patches addressing vulnerabilities in the Framework, Media Framework, System, kernel, Android TV, MediaTek and Qualcomm components.
Google issued a separate security advisory for Pixel devices.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.