The January Android Security Bulletin has just been published by Google, including details of seven vulnerabilities within the Android operating system. One of these, affecting Android operating system versions 8, 8.1 and 9 has been given a “critical” rating, so it’s important that you seek out and install the January security update as soon as it’s available to you.
The critical flaw in the Android Media framework, dubbed CVE-2020-0002, is a remote code execution (RCE) flaw. This “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to Google.
So what does this mean? Google doesn’t release full details of Android security issues until after people’s handsets are patched, to help prevent attackers from being able to easily exploit flaws.
“On the face of it, it does seem like a significant issue,” says security researcher Sean Wright. He points out that the issue allows an attacker to run commands on your device as a privileged user.
He says it is “almost certain” that a malicious app installed on your device could take advantage of the critical vulnerability, but it’s not clear if it is exploitable remotely.
“If this is possible, it would be really bad,” says Wright. But he thinks that it is not. “Otherwise we would likely see a higher rating and more visibility about it.”
Other Google Android issues
Last month, Google patched a critical Android 8, 9 and 10 issue which resulted in a “permanent” denial of service threat. Also in December, security researchers revealed details about a dangerous Android vulnerability they call “StrandHogg,” which allows malware to pose as legit apps.
In October, Google Android users found out they had been put at risk, after it emerged a keyboard app called ai.type was making millions of unauthorized purchase of premium digital content.
Meanwhile, Qualcomm, whose chips are included in Android devices, also patched 29 vulnerabilities detailed in the Google Android Security Bulletin. The most severe of these was related to its rtlwifi driver. “The most severe vulnerability in this section could enable a proximate attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” Google’s Android security bulletin said.
Who is getting the Google Android security patch and when?
Android device manufacturers are notified of issues at least a month before Google publishes them. However, as Android users are already aware, there can sometimes be a frustrating wait until an update reaches your device.
Samsung said in its security maintenance release for January 2020 that it will be releasing the CVE-2020-0002 patch alongside some other Android fixes to major handset models.
Fixes for Pixel, LG and Nokia are coming soon.
“Unfortunately Android still suffers from a very fractured deployment of security fixes,” Wright says. “Some vendors do a fantastic job, and others leave much to be desired. Even when it’s a specific vendor, rollout of security fixes can very much depend on the actual device you have.”
Securing your Google Android device: What to do
There is no need to panic, but it goes without saying that if the Android January security patch is available, you should apply it now. You can find it on your Android device by going to your Settings > Security > Check for an update. If it’s there you can tap the security update.
In contrast to Apple, which owns the entire ecosystem, the Android ecosystem is by its very nature fragmented. It puts more onus on you, the user, to watch out for threats and ensure your device is secure.
But there are some simple steps you can take to keep your Android device secure, such as ensuring you are careful about the apps you download. “Be wary about the apps you install on your device,” Wright warns.
He also highlights the importance of checking the permissions an app is requesting. “If a flashlight app is requesting permission to access your contacts, that should be an immediate red flag.”
In addition, you should make sure you are installing security updates as soon as they are available for your device–and be proactive about checking for them.