Google released patches for 40 security vulnerabilities affecting Android devices. Vulnerabilities include remote code execution, elevated privilege, and remote denial of service (DoS) flaws. Six of the vulnerabilities are rated as critical flaws and 10 vulnerabilities are rated as high severity.
The most severe vulnerability (CVE-2016-2428 and CVE-2016-2429) affects media files processing, a recurring issue for Android devices. The flaw allows remote code execution when devices receive a malicious email or MMS message, or through viewing an infected webpage.
Google announced in a security bulletin that its Android Security severity ratings were updated. The notice also stated a new name for the bulletin. “To reflect a broader focus, we renamed this bulletin (and all following in the series) to the Android Security Bulletin. These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices.”
The elevated privilege vulnerabilities affecting Android’s integrated debugger (CVE-2016-2430) and Qualcomm TrustZone (CVE-2016-2432) allow malicious applications to execute arbitrary code within the debugger and the TrustZone kernel, respectively. The flaws may permanently compromise devices and may require an operating system reflash.
Vulnerabilities were discovered by Andy Tyler at e2e-assure; Hao Chen at Qihoo 360 Technology Co. Ltd; Jake Valletta at Mandiant; Jianqiang Zhao and pjf at IceSword Lab, Qihoo 360 Technology Co. Ltd; Imre Rad at Search-Lab Ltd.; Marco Grassi at KeenLab, Tencent; Mingjian Zhou, Yuan-Tsung Lo, Lubo Zhang, Chiachih Wu, and Xuxian Jiang at C0RE Team; Peter Pi at Trend Micro; Weichao Sun at Alibaba Inc.; Yulong Zhang and Tao (Lenx) Wei at Baidu X-Lab; Zach Riggle on the Android Security team; Jeremy C. Joslin and Kenny Root at Google; Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome security team; and independent researchers Dzmitry Lukyanenka, Gal Beniamini, and Michał Bednarski.
In the Android Security 2015 Annual Report published last month, Google reported that many Android users may remain vulnerable. Only 71 percent of Android users are running on Android 4.4.4 or higher, the only versions that Google supports with security updates.