Google Patches 'Extremely Serious' Android Bugs


Two critical Android vulnerabilities were recently disclosed and patched on Nexus devices via an over-the-air security update.

The first, discovered by Google Project Zero researcher Mark Brand, allows an attacker to remotely execute malware or escalate local privileges on exposed phones. Despite its "straightforward" nature, the bug is "extremely serious" and can be spread in a variety of ways, Brand wrote in a blog post.

"It's interesting that it's been undiscovered for so long," he said.

Brand's exploit works only on an undisclosed subset of Nexus handsets, and could not "be used in real-world attacks without substantial modification and even further research," Google told Ars Technica.

Still, Brand suggested it is present in a number of recent releases. "The provided exploit performs this on several recent Android versions for the Nexus 5x, and is both reliable and fast in my testing," he said.

According to September's Android security bulletin, Google has not yet received any reports of active customer exploitation or abuse of these newly reported issues. Still, the company encourages all customers to update their devices when they can.

The same update patches a second vulnerability similar to Stagefright. As reported by Ars, the bug is exploited by hiding malicious code in embedded JPEG image data, then sending the picture via Gmail or Google Talk. The unsuspecting target doesn't need to click on or open any links to become compromised.

These vulnerabilities were made public around the same time that security firm Checkpoint disclosed two sets of malware planted in Google Play apps. Unveiled in late August, DressCode was allegedly used to spoof ad clicks and generate revenue for the attacker, but can also be applied to breach private internal networks. CallJam, meanwhile, was concealed inside the game Gems Chest for Clash Royale, and includes a premium dialer to generate fraudulent phone calls—but only after receiving permission from the device owner.

Google did not immediately respond to PCMag's request for comment.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Specs Comparison: Galaxy S7 vs. iPhone 7

    Did you miss out on the Apple iPhone 7 launch event live blog from earlier?You also missed out on the unveiling of the iPhone 7 and iPhone 7 Plus, including details on new features and the whole list of specs for each.
  • 5300c769af79e

    Report: Huawei to Ditch Android Wear in Favor of Samsung's Tizen for Next Smartwatch

    In a previous report, it was detailed that Huawei was not intending to launch an Android Wear smartwatch anytime too soon, which likely would have been a Huawei Watch followup.Adding insult to injury for Android fans, the most recent intel out of South Korea claims that the company may be ditching Android Wear for Samsung’s Tizen OS, at least for the time being.
  • 5300c769af79e

    Beyond Advanced Threat Protection

    Download Advanced threat protection systems bring a new level of malware protection to the enterprise, overcoming the weaknesses of intrusion detection and prevention solutions by detecting zero-day malware.ATP devices might also introduce bandwidth constraints and intermittent availability, leading to network outages.
  • 5300c769af79e

    Google Search Indexing To Go Mobile-First

    This can affect not only the site itself, but also the entire advertising infrastructure tied to websites that Google supports.In April 2015, Google announced that its search algorithm would add greater weight to those sites that offer mobile-friendly versions.