An issue with the March Android over-the-air security update has been resolved after Nexus 6 users complained that Android Pay no longer worked after installation of the update.
The update in fact broke Android’s SafetyNet API which provides a constant check on device integrity, blocking access to certain features—such as Android Pay—if it believes a device has been rooted.
A Google representative confirmed to Threatpost that the issue was resolved and the OTA update re-issued, even for devices that had already installed the bad update.
A report on Android Police published Friday said the same factory image and OTA file was re-uploaded, and that Google had temporarily disabled SafetyNet on the end-of-life Nexus 6 until a root cause is determined.
The monthly Android Security Bulletin was published March 6, and included two patch levels of March 5 and March 1.
The March 1 patch level included fixes for 11 CVEs, including an update to the Android implementation of OpenSSL and BoringSSL to address a remote code execution flaw in the crypto library. An attacker, Google said, could use a crafted file to corrupt memory during file and data processing and be able to run code remotely.
Mediaserver was again a hot spot for the Android OS with nine remote code execution vulnerabilities patched along with a privilege escalation bug in recovery verifier. An attacker could corrupt memory in Mediaserver during file processing and execute code; Mediaserver has been a focus of researchers since the disclosure and patching of the Stagefright vulnerabilities two summers ago. An attacker could use a malicious mobile application to exploit the recovery verifier vulnerability and run arbitrary code in context of the kernel, Google said.
The March 5 patch level patches two dozen other critical vulnerabilities, including seven different privilege escalation vulnerabilities in MediaTek components and five more in the NVIDIA GPU driver and another five uncategorized bugs in Qualcomm components.
The MediaTek components at risk were the M4U driver, sound driver, touchscreen driver, GPU driver and Command Queue driver, all of which could be exploited by a malicious app to run code at kernel level.
The same scenario applies to the remaining March 5 vulnerabilities rated critical, all of which allow remote code execution in the context of the kernel, Google said. In all three cases, a compromised device would likely have to be re-flashed to remove the attack.
The remaining critical vulnerabilities were all privilege escalation issues in kernel ION, the Broadcom Wi-Fi driver, the kernel FIQ debugger, the Qualcomm GPU driver, and in the kernel networking subsystem.