Got an Android? I hope you’re patching it

If you are one of the many millions of people who owns an Android phone, I do hope you’re managing to keep it updated.

For some Android users it’s easy to keep up with the latest security patches. Perhaps unsurprisingly, it’s owners of Google-manufactuered Nexus Android phones who seem to be the best off – now receiving security updates on a monthly basis. But some of the other major manufacturers are also getting better at rolling out updates in a reasonably timely fashion.

Which is important, because new flaws are found in the Android operating system all the time and they could – potentially – be exploited by malicious hackers to compromise your smartphone or steal your data.

Just yesterday, Google announced that it had released its latest monthly over-the-air (OTA) security update, addressing a number of security issues.

Yes, chances are that many people will have been treated to an Android smartphone over the holiday period, and are already finding that it needs an update to make it work more safely.

The flaws, which are found in multiple versions of Android – from 4.4 KitKat to 6 Marshmallow – are listed below:

Issue CVE Severity
Remote Code Execution Vulnerability in Mediaserver CVE-2015-6636 Critical
Elevation of Privilege Vulnerability in misc-sd driver CVE-2015-6637 Critical
Elevation of Privilege Vulnerability in the Imagination Technologies driver CVE-2015-6638 Critical
Elevation of Privilege Vulnerabilities in Trustzone CVE-2015-6639 Critical
Elevation of Privilege Vulnerability in Kernel CVE-2015-6640 Critical
Elevation of Privilege Vulnerability in Bluetooth CVE-2015-6641 High
Information Disclosure Vulnerability in Kernel CVE-2015-6642 High
Elevation of Privilege Vulnerability in Setup Wizard CVE-2015-6643 Moderate
Elevation of Privilege Vulnerability in Wi-Fi CVE-2015-5310 Moderate
Information Disclosure Vulnerability in Bouncy Castle CVE-2015-6644 Moderate
Denial of Service Vulnerability in SyncManager CVE-2015-6645 Moderate
Attack Surface Reduction for Nexus Kernels CVE-2015-6646 Moderate

The most concerning of the flaws (given the identifier CVE-2015-6636) was given the highest severity rating of “Critical” and could allow remote code execution on vulnerable devices through a variety of methods – including email, web browsing and MMS when handling media files.

In other words, a malicious hacker could boobytrap a movie file, plant it on a website or send it to you via email or MMS, and within two shakes have installed malware, taking remote control of your smartphone and snooping upon your files and conversations.

That, I’m sure you will agree, is a pretty serious vulnerability. Fortunately, Google says it has had “no reports of active exploitation of these newly reported issues.”

Flaws taking advantage of Android’s shaky handling of MMS files have been giving Google something of a headache in recent months, with the so-called Stagefright vulnerabilities generating many headlines.

Things didn’t improve when Google’s patch for the Stagefright security hole was found to not actually work properly.

Let’s hope that Google has done a better job this time.

And my advice is that if you have a vulnerable Android device, you should patch it. But Google has only released fixes for the Android smartphones which it manufactures. If you own an Android made by another firm then you have to wait for them to push out a patch, and for it to be delivered by your carrier.

Google says that it informed its Android partners about the issues, and provided updates for the issues described in its security bulletin, in early December, and that source code patches will be released to the Android Open Source Project (AOSP) repository shortly.

When your device prompts you that a security update is available, be sure to apply it. If you aren’t one of the lucky ones to be told there is a security update, you should perhaps be having some strong words with your phone’s manufacturer – as maybe they need to be told that you’ll be less likely to buy one of their devices in future, if they can’t get a proper handle on keeping it updated.

Picture credits: (c)flickr/khamtran.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.