Google Patches 'Extremely Serious' Android Bugs


Two critical Android vulnerabilities were recently disclosed and patched on Nexus devices via an over-the-air security update.

The first, discovered by Google Project Zero researcher Mark Brand, allows an attacker to remotely execute malware or escalate local privileges on exposed phones. Despite its "straightforward" nature, the bug is "extremely serious" and can be spread in a variety of ways, Brand wrote in a blog post.

"It's interesting that it's been undiscovered for so long," he said.

Brand's exploit works only on an undisclosed subset of Nexus handsets, and could not "be used in real-world attacks without substantial modification and even further research," Google told Ars Technica.

Still, Brand suggested it is present in a number of recent releases. "The provided exploit performs this on several recent Android versions for the Nexus 5x, and is both reliable and fast in my testing," he said.

According to September's Android security bulletin, Google has not yet received any reports of active customer exploitation or abuse of these newly reported issues. Still, the company encourages all customers to update their devices when they can.

The same update patches a second vulnerability similar to Stagefright. As reported by Ars, the bug is exploited by hiding malicious code in embedded JPEG image data, then sending the picture via Gmail or Google Talk. The unsuspecting target doesn't need to click on or open any links to become compromised.

These vulnerabilities were made public around the same time that security firm Checkpoint disclosed two sets of malware planted in Google Play apps. Unveiled in late August, DressCode was allegedly used to spoof ad clicks and generate revenue for the attacker, but can also be applied to breach private internal networks. CallJam, meanwhile, was concealed inside the game Gems Chest for Clash Royale, and includes a premium dialer to generate fraudulent phone calls—but only after receiving permission from the device owner.

Google did not immediately respond to PCMag's request for comment.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Trump: Sprint to Add 5,000 New US Jobs

    The latest round of Donald-Trump-inspired job growth is at Sprint, which said Wednesday that it will add 5,000 jobs in the US by the end of 2017.President-elect Trump first announced Sprint's plans in a brief meeting with reporters Wednesday afternoon.
  • 5300c769af79e

    Snapseed 2.6 Update Adds Blue Filter in Black and White, White Balance in RAW Editor

    Snapseed, Google’s photo editing app that was acquired back during the prime of its Google+ push, received an update today that adds more editing power to black and white photos and when tinkering with RAW pics.A Blue filter is now included in Black and white, because this should create a “high contrast black and white image by pushing blue tones white and yellow tones black.
  • 5300c769af79e

    LG Action CAM is World's First Action Camera With LTE

    Called the Action CAM, this camera is made for those who seek adventure, featuring a 12.At this time, LG has not confirmed which carriers will be available at launch, but our hope is to see it available on as many US carriers as possible (no LTE bands were provided in the press release).
  • 5300c769af79e

    Lenovo has New Moto Mods, Tablets to Show Off at IFA

    In the short 50-second clip, Lenovo says to expect “better” everything, including new Moto Mods and a “new chapter in tablets.The video does show a whole bunch of Moto 360 shots as well, from previous events, but they don’t specifically say anywhere that we will get a new Moto 360 (3rd Gen).