Critical Android Vulnerability Could Make Smartphones Unusable

Google has patched many vulnerabilities in Android during its September patch cycle, including a critical vulnerability that could render smartphones useless. This vulnerability allows a "permanent denial of service" according to Google.

In total, forty vulnerabilities in the operating system have been fixed with the September updates. Through the leaks, among other things, a malicious app can gain additional permissions without user interaction and access protected data from other applications.

The most dangerous vulnerability in the Android code is according to Google CVE-2021-0687. This vulnerability exists in the Android Framework and allows a remote attacker to cause a permanent denial of service by using a specially crafted file. Further details have not been given by Google.

In addition to vulnerabilities in its own Android code, Google also resolves vulnerabilities in parts of chipset manufacturers that Android uses with the monthly patch round. This month it concerns parts of MediaTek, Unisoc and Qualcomm.

Six of Qualcomm's software vulnerabilities have been identified as critical. Four of them are only local by exploiting a rogue app on the device, but two can be exploited remotely. These are CVE-2021-1933 and CVE-2021-1946 that are present in the software for the data modem and, in the worst case scenario, allow an attacker to execute arbitrary code. The impact of these leaks has been rated on a scale of 1 to 10 with a 9.8.

Patch level

Google works with so-called patch levels, where a date indicates the patch level. Devices that receive the September updates will have '2021-09-01' or '2021-09-05' as their patch level. Manufacturers who want their devices to get this patch level must in this case add all updates from the September Android bulletin to their own updates, and then roll them out to their users. The updates have been made available for Android 8.1, 9, 10 and 11.

According to Google, manufacturers of Android devices were informed about the vulnerabilities that have now been fixed at least a month ago and have been able to develop updates in that time. However, that does not mean that all Android devices will receive these updates. Some devices are no longer supported with updates from the manufacturer or the manufacturer releases the updates at a later time.

Previous Post Next Post