Two critical bugs and more malicious apps make for a bad week for Android

(credit: Ron Amadeo)

It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google’s official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren’t eligible to receive the fixes. Even those that do qualify don’t receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.

“Extremely serious bug”

The first vulnerability was disclosed by Mark Brand, a researcher with Google’s Project Zero security team. Indexed as CVE 2016-3861, it allows attackers to execute malware or escalate local privileges on vulnerable phones. Brand warned that it’s “an extremely serious bug” because it can be exploited in a large variety of ways. He also said CVE 2016-3861 wasn’t particularly hard to detect, a finding that increases the chances that other researchers already knew about it. (In any event, Brand included proof-of-concept exploit code with his disclosure. A Google spokesman said the exploit was for research purposes, worked only on an undisclosed subset of Nexus devices, and “could not be used in real world attacks without substantial modification and even further research.”) Brand didn’t say exactly which Android version introduced the code-execution vulnerability, but he indicated that it’s present in at least several of the most recent releases.

Read 6 remaining paragraphs | Comments


Author: WITS Curators

Bo Washington is a Certified Computer Specialist and the owner and operator of Washington IT Solutions, a local Bartlesville computer repair company. He has been fixing computers since the late 90's and has clocked up thousands of hours performing hardware upgrades, system builds, software installations, virus and spyware removal using the most up to date techniques and general computer services.

Share This Post On

Leave a Reply

%d bloggers like this: