Google’s monthly Android updates patch numerous “Get-Root” vulnerabilities – Naked Security

The good news this month Android patches is that while Google’s own updates patch numerous EoP (Elevation of Privilege) holes, there are no remote code execution bugs on the list.

The bad news, of course, is that EoP bugs that lead straight to root access without any telltale signs make it easy for unscrupulous apps to suck more data and spy on more aspects of your online life than you might ever expect.

With the Escalate-to-Root exploit code hidden inside, even an otherwise perfectly useful but seemingly simple app – which offers, for example, functions such as a flashlight or a simple compass or one of thousands of other innocent-looking “cover stories” – could be abused on End up being a front for spyware or a data logging tool.

Unfortunately, even Google’s much-vaunted Play Store can’t always keep you malware-free, as untrustworthy apps regularly sneak through the automated verification processes designed to detect software that’s poor in privacy, security, or both.

However, when you’re not in the market, things can get a lot more dangerous, not least because there are plenty of unofficial Android app stores where pretty much anything can be done, including some app repositories intentionally masquerading as a handy one-stop shop for software that Google “doesn’t want you to have”.

who would do that

That being said, you might think that no one would intentionally search for apps that are clearly not allowed on Google Play or that have already been disapproved by Google.

But cybercriminals can also use “This app is not in the Play Store” to their advantage, as reported by SophosLabs in the case of the CryptoRom scammers.

These criminals meet their victims online, often starting on dating sites.

The crooks don’t intend to have any fake romances, just to find “friends” to start talking about cryptocoin investing soon…

… build on convincing their victims to install a completely rogue cryptocurrency investment app.

These apps are almost always unavailable in the market, however, the crooks present this as a strength rather than a weakness, classifying the apps as “exclusive” precisely because they are not available for everyone to download.

(There is a parallel scam for iPhone users to trick them into installing fake “business apps” or “beta test” apps that are not rigorously checked by Apple.)

The risks of root

Usually Android apps are locked down so each app runs as if it were a completely separate user on the device, just like you might have multiple logins on your laptop to share with your family.

This explicitly limits the files and services each app can access, so a buggy or misbehaved app can’t easily access other apps’ data, just like you can’t read other users’ home directories on a shared laptop and so that apps do not have access to the operating system’s own files and data.

Because each app runs in its own sandbox with access permissions, a compromised app can’t just roam through all your files at will and spy on whatever it wants, which limits your risk.

Additionally, unlike your Windows, Mac, or Linux laptop, Google Android reserves access to the root or administrator account for itself.

On your laptop, you can dig around in other users’ files if you have admin privileges, but you can’t do that on Android because you just can’t get those privileges by default, even if you want to.

Some Android devices, notably Google’s own Pixel phones, allow you to unlock your device to install any operating system or software, such as a regular laptop. However, you need physical access to the device to put it in “rootable” mode, and every time you toggle this setting on or off, the data already on the device will be erased. This prevents you from “rooting” an existing Google Android phone and recovering protected data that was previously on it, and it prevents you from preparing a pre-rooted substrate onto which you can later put an apparently locked version of Androind .

What has been fixed?

Google’s updates are listed in its April 2022 Security Bulletinwhich lists numerous EoP bugs in the Android application framework (the underlying system programming libraries that other apps rely on) and some in the system itself.

This month, Google offers two different update levels for phone providers that are synchronized 04/01/2022which seems to fix the most urgent bugs, and 2022-04-05which contains fixes for additional security vulnerabilities.

As the company notes, “[this month’s] Bulletin has two security patch levels, giving Android partners the flexibility to more quickly fix a subset of vulnerabilities that are similar across Android devices.” which seems to indicate that Google would rather have many or most vendors fixing at least some bugs than just a few vendors fixing all bugs.

Despite this, Google makes it clear that a full patch is much preferred: “Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.”

the 04/01/2022 Patch level fixes a total of eight EoP bugs, seven in the Android program libraries and one in the system itself.

The company notes that these bugs “could result in local escalation of privileges without requiring additional execution privileges. No user interaction is required for use.”

the stricter 2022-04-05 Patch level adds protection against another four EoP bugs, including a system-level vulnerability with a warning that if left unpatched, the hole will occur “Could result in local escalation of permissions from the guest account without requiring additional execute permissions. No user interaction is required for use.”

What should I do?

Users of Google’s own Pixel phones can update instantly without having to wait for their turn in the automatic update delivery queue by walking right away settings > security > security update.

(We just updated our Pixel 4a; the update itself was listed as a stingy 11.4MB download, but the installation process took nearly an hour after the near-instant download was complete, so don’t lose faith when you’re updating and worryingly it takes longer than expected!)

Other phone owners may not receive the update immediately; If you do this, your security update level after the update (and mandatory reboot) should show as April 1, 2022 or as April 5, 2022depending on which patch level your vendor has selected.

You can check your Android version by going to settings > Android version Side.

Meanwhile, check if your apps are up to date by opening the Load game App by tapping your account icon (the small circle) in the upper right corner of the screen and access the Manage apps and device screen.

By the way, despite the imperfections in Google Play, we strongly encourage you to stick to it if you can.

While Google doesn’t always keep malware out, the Play Store has a review process that all apps must go through, as well as a mechanism to reliably keep installed apps up-to-date…

…which is much better than an unknown “alternative” app store open to anyone to submit any app they want, including apps that have already been rejected by Google itself.

About Willie Ash

Check Also

Don’t commit yourself! Here are solid alternatives for Apple’s weaker software

One of the best things about Apple’s Macintosh computers is that they come with a …