Unpatched Android Bug Sætter Ejere af Samsung, Xiaomi Telefoner at Risk

Unpatched Android Bug Sætter Ejere af Samsung, Xiaomi Telefoner at Risk

1 Star2 Stars3 Stars4 Stars5 Stars (Ingen stemmer endnu)
Loading ...

Are you holding an Android device in your hands? Perhaps you are reading this article on your Android phone? Android appears to be the most popular mobile operating system. Faktisk, in the second quarter of 2018, 88 percent of all smartphones sold to end users were phones with the Android operating system, i henhold til Statista.

There’s an unpatched flaw in Android, and it’s actively exploited

Så, any news regarding a serious vulnerability in Android, let alone an unpatched issue, should be treated as a threat alert. Angiveligt, attackers have been exploiting such an unpatched vulnerability, and using it to take control of compromised devices, and eventually to drop spyware.

Owners of Huawei, Xiaomi, Samsung, LG and Google phones are affected by this flaw. But what exactly is it?
The unpatched vulnerability is described as a use-after-free memory condition in the Android Binder component, which can result in escalation of privileges. Faktisk, the issue was patched in Linux 4.14 LTS kernel, Android Open Source Project’s (AOSP) 3.18 kerne, AOSP 4.4 kernel and AOSP 4.9 kernel in December 2017 without receiving a CVE identifier. So why is still considered unpatched, if it was addressed two years go?

The reason is that AOSP (Android Open Source Project) takes care of the reference Android code, but individual device manufacturers, såsom Google, don’t implement it directly. These manufacturers maintain separate firmware trees for their devices, which often run different kernel versions. Med andre ord, every time a vulnerability is fixed in AOSP, manufacturers need to import the patch and apply it to their customized firmware code. The problem is that this process hasn’t been done for this particular issue, leaving the vulnerability unpatched.

Here’s a list of vulnerable devices, i henhold til a report by Google Project Zero researcher Maddie Stone:

1) Pixel 2 with Android 9 og Android 10 preview
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) Oppo A3
7) Moto Z3
8) Oreo LG phones (run same kernel according to website)
9) Samsung S7, S8, S9

It is important to note, dog, that the listed devices may not the only ones affected, as “most Android devices pre-Fall 2018 are affected”, according to Stone.

Relaterede: Android Apps Can Harvest Your Data Even If You Have Denied Permissions

How can this unpatched Android flaw be exploited

Being a privilege escalation vulnerability, it can be leveraged by a malicious application to obtain root privileges, which shortly means full device control. The vulnerability enables an escape from the application sandbox, which is central to the security of Android. Endvidere, if the flaw is chained with a browser renderer exploit, it can be targeted from the Web, as the flaw can be leveraged through the browser sandbox.

What is worse is that researchers have evidence that the bug is being exploited in the wild:

We have evidence that this bug is being used in the wild. Derfor, this bug is subject to a 7 day disclosure deadline. Efter 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

The good news is that AOSP has shared details with the affected vendors, and the patch is available for implementation. It depends on each vendor when the patching is done, and updated for affected devices are released. Google, for eksempel, says that the vulnerability will be fixed for Pixel 1 og 2 in this month’s update.


Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

1 Kommentar

  1. AvatarMartin Beltov

    Hooray, I’m on Android One and not affected.


Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...