Android phones are vulnerable to attacks that could allow someone to takeover a device remotely without the device owner needing to do anything.<\/p>\n
Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December<\/a>. In total, there are patches for 94 vulnerabilities, including five rated as \u201cCritical.\u201d<\/p>\n The most severe of these flaws is a vulnerability in the System component that could lead to remote code execution (RCE) without any additional execution privileges required. User interaction is not needed for exploitation.<\/p>\n This vulnerability, referenced as CVE-2023-40088<\/a>, affects a function that is used for Bluetooth communication, so the \u201cremote\u201d part is limited to \u201cclose range\u201d since the average Bluetooth range is about 30 feet (10 meters). Successful manipulation with a specially crafted input leads to a use after free vulnerability. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.<\/p>\n Another critical vulnerability (CVE-2023-40077<\/a>) that looks problematic is an Elevation of Privilege (EoP) vulnerability in the Android Framework. Successful exploitation could lead to a race condition. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. In this case it could provide a successful attacker with permissions to perform actions they shouldn\u2019t be able to.<\/p>\n Security patch levels of 2023-12-05 or later address all of these issues. To learn how to check a device’s security patch level, see how to\u00a0check and update your Android version<\/a>. The updates have been made available for Android 11, 12, 12L, 13, and 14. Android partners are notified of all issues at least a month before publication, however,\u00a0this doesn\u2019t always mean that the patches are available for devices from all vendors<\/a>. Android vendors such as Samsung and OnePlus have pledged to release security updates once a month. Google usually ships out security updates to Pixel phones within two weeks or sooner.<\/p>\n We don\u2019t just report on vulnerabilities\u2014we identify them, and prioritize action.<\/strong><\/p>\n Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using\u00a0ThreatDown Vulnerability and Patch Management<\/a>.<\/p>\n
\n