Security researchers said the CIS advisory on Feb. 7 amplifies the security updates released the day before by Google.
CIS said depending on the privileges associated with the exploited component, an attacker could install programs, view, change, or delete data, or create new accounts with full rights.
“Our advisory is related to the patches that were announced yesterday from Google,” said a CIS spokesperson. “The risk associated with these vulnerabilities can vary depending on policies within each organization regarding mobile devices. An organization that follows a BYOD policy that allows access to internal resources without a forcing mechanism to keep BYOD devices patched and updated will be at a higher risk than others. Organizations that adequately manage mobile devices and maintain reasonable compliance standards for patching will have a much lower risk profile.”
JT Keating, senior vice president of strategic initiatives at Zimperium, said while there are many levels of risk that come with vulnerabilities on mobile devices, these vulnerabilities are particularly dangerous because they can lead to elevated privileges that place the device completely at risk, including the ability to delete or change data, install applications, and even create new accounts.
“Users should implement the patch to close these vulnerabilities as soon as their carrier provides it, and businesses should follow the CIS recommendation to use capabilities to detect exploits,” Keating said.
Mike Parkin, senior technical engineer at Vulcan Cyber, added that it’s possible vendors will find it challenging to quickly get their particular flavor of Android up-to-date with the security bundle Google's released, or how quickly the wireless providers roll them out to their customers.
“One of the challenges with Android devices is that there's sometimes a delay between Google releasing new patches for their Android OS and the vendors integrating it with their many phone models,” explained Parkin. “Fortunately, there’s active protection for a lot of these in Google Play Protect, which gets enabled on most modern Android devices.”