Android patchday: Attackers can extend rights in the system
On Android Patchday, Google closes several loopholes that allow attackers to extend their rights.
Security vulnerabilities threaten Android smartphones.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Google is patching several security vulnerabilities in the Android smartphone operating system on May Patchday. Malicious actors can abuse most of them to extend their rights in the system. Smartphone processor manufacturers have also had to patch vulnerabilities.
According to Google's security announcement, the company's programmers have only patched eight vulnerabilities in the Android core system. Four of these affect the Android framework. All of them allow the extension of rights in the system and are classified as high risk. There are three privilege escalation vulnerabilities in the Android system, one of which is even classified as a critical risk. Another high-risk gap can lead to information leakage.
Android: Eight gaps in the core system
The vulnerabilities impact Android 12, 12L, 13 and 14; the critical vulnerability only affects Android 14. Google is patching three of them – including the only vulnerability classified as a critical risk – via the Google Play system. This means that smartphones that have not yet received an update from the manufacturer can also benefit from some security fixes.
In addition to the May 1, 2024, patch level, which closes the aforementioned gaps, there is also the May 5, 2024, patch level. Among other things, the developers closed a kernel vulnerability that poses a high risk of obtaining higher rights in the system. Other security-relevant errors corrected in the patch relate to components from the processor developer ARM; more specifically, there are three gaps in the software for the Mali GPU. Four vulnerabilities can be found in Mediatek components and ten in those from Qualcomm.
Information on the updates for Pixel smartphones is currently still missing, but fresh firmware with the security patches should also be available shortly. Users with Android smartphones should check whether the security updates are already available for their smartphone.
In April, Google patched security vulnerabilities in Android on Patchday, which attackers could also use to gain greater rights. The highest severity of the vulnerabilities was classified as high risk.
(dmk)