Google has released a security update for a critical flaw in its Android operating system that allows hackers to execute remote code on affected handsets, potentially allowing an adversary to gain remote access to the device. Part of Google’s February Android Security Bulletin, released Monday, also warns of a second critical flaw that could allow a remote hacker to gain access to an Android handset and obtain sensitive data.
Tracked as CVE-2020-0022, the remote code execution (RCE) bug impacts Android versions Pie (9.0) and Oreo (8.0, 8.1). The same CVE also impacts Google’s most recent Android version, called 10. However, with Android 10, the severity rating is moderate and the impact is not a RCE bug, but rather a denial of service threat.
Google said an over-the-air update and firmware images for Google devices are available for its Pixel and Nexus devices, and third-party carriers will also deliver updates to vendor handsets.
As for the RCE bug, Google said an adversary could exploit the flaw by sending, “a specially crafted transmission to execute arbitrary code within the context of a privileged process.” A privileged process includes trusted function of the device or a third-party application.
“Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” according to a warning from the Center for Internet Security (CIS), a security-focused non-profit that works with private, pubic and academic institutions. “If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.”
Attack vectors could include a threat actor luring a victim to a website hosting a malicious media file, or sending one via email or as a texted MMS message.
CIS said there are no reports of any of February’s vulnerabilities being actively exploited.
The second critical bug patched by Google, as part of its February security update, is an information disclosure vulnerability. Tracked as CVE-2020-0023, this bug, when exploited, gives adversaries access to sensitive and confidential information associated with specific applications.
Specifics regarding either of the critical CVEs have not yet been made available. Typically, vulnerability details are released as device patch levels reach a meaningful threshold. Altogether, Google’s February patch roundup for its Android OS includes 25 bugs and patches. Nineteen of those vulnerabilities are rated high, with four additional bugs also rated high, but associated with Qualcomm chipsets used inside Android devices.