The good news in this month’s Android patches is that even though Google’s own updates close off numerous elevation of privilege (EoP) holes, there aren’t any remote code execution bugs on the list.
The bad news, of course, is that EoP bugs that directly lead to root access, without any tell-tale signs, make it easy for unscrupulous apps to suck up more data, and snoop on more aspects of your online life, that you might ever expect.
With escalate-to-root exploit code hidden inside, even an otherwise perfectly useful but apparently basic app – offering functionality such as a flashlight or a simple compass, for example, or any of thousands of other innocent-looking “cover stories” – could end up being a front for spyware or a data logging tool.
Unfortunately, even Google’s much-vaunted Play Store can’t always keep you malware-free on its own, with untrustworthy apps regularly sneaking through the automated vetting processes that’s supposed to detect software that egregiously oversteps the mark when it comes to privacy, security or both.
Nevertheless, if you go off-market, things can get much more dangerous, not least because there are many unofficial Android app stores out there where pretty much anything goes, including some app repositories that deliberately pitch themselves as a handy place to get at software that Google “doesn’t want you to have”.
Who would do that?
As an aside, you might think that no one would deliberately seek out apps that clearly wouldn’t be permitted on Google Play, or that have already been rejected by Google.
But cybercriminals can even turn “this app’s not in the Play Store” to their advantage, as SophosLabs has reported in the case of the CryptoRom scammers.
These criminals get to know their victims online, often starting on dating sites.
The crooks don’t intend to begin bogus romances, but simply to make “friends” with whom they soon start to talk about cryptocoin investments…
…building up to persuading their victims to install an entirely fraudulent cryptocurrency investment app.
These apps are almost always off-market, but the crooks portray this as a strength, not a weakness, with the apps pitched as “exclusive” precisely because they aren’t available for just anybody to download.
(There’s a parallel scam for iPhone users to trick them into installing fake “business apps” or “beta test” apps, which aren’t strictly vetted by Apple.)
The risks of root
Usually, Android apps are locked down so that each app runs as if it were an entirely separate user on the device, in the same way that you might have multiple logins on your laptop to share it with your family.
This explicitly limits the files and services that each app can access, so that a buggy or ill-behaved app can’t easily access the data belonging to other apps, in the same way that you can’t read other user’s home directories on a shared laptop, and so that apps don’t have access to any of the operating system’s own files and data.
With every app running in its own sandbox of access permissions, one compromised app can’t simply wander around all your files at will, snooping on whatever it wants, which limits your risk.
Additionally, and unlike your Windows, Mac or Linux laptop, Google Android reserves access to the root, or admininstrator, account, for itself.
On your laptop, you can rootle around in other users’ files if you have Administrator privileges, but on Android, you can’t do that because, by default, you simply can’t get those privileges, even if you want to.
Some Android devices, notably Google’s own Pixel phones, allow you to unlock your device to install any operating system or software you like, such as a non-Google Android version where users are allowed to request and receive root access, just as they can on a regular laptop. But you need physical access to the device to set it into “rootable” mode, and every time you turn this setting on or off, the data already on the device gets wiped. This stops you “rooting” an existing Google Android phone and recovering protected data that was on there before, and it stops you preparing a pre-rooted substrate on which to layer an apparently locked-down version of Androind later.
What’s been fixed?
Google’s updates are enumerated in its April 2022 Security Bulletin, which lists numerous EoP flaws in the Android application framework (the underlying system programming libraries that other apps rely on), and some in the system itself.
This month, Google is offering phone vendors two different update levels, dubbed 2022-04-01, which apparently fixes the most pressing bugs, and 2022-04-05, which includes fixes for additional security holes.
As the company notes, “[this month’s] bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly,” which seems to suggest that Google would rather have many or most vendors fixing at least some bugs than having only some vendors patching all bugs.
Nevertheless, Google does make it clear that a full patch is greatly preferred: “Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.”
The 2022-04-01 patch level fixes eight EoP bugs in total, seven in the Android programming libraries, and one in the system itself.
The company notes that these bugs “could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.”
The more rigorous 2022-04-05 patch level adds protection against a further four EoP bugs, including a system-level vulnerability with a warning that, if unpatched, the hole “could lead to local escalation of privilege from the Guest account with no additional execution privileges needed. User interaction is not needed for exploitation.”
What to do?
Users of Google’s own Pixel phones can update right now, without waiting for their turn in the automated update delivery queue, by going right now to Settings > Security > Security Update.
(We just updated our Pixel 4a; he update itself was listed as a miserly 11.4MB download, but the installation process took nearly an hour once the almost-instantaneous download had completed, so don’t lose faith if you update and it takes worryingly longer than you were expecting!)
Owners of other phones may not receive the update immediately; when you do, your security update level after the update (and its compulsory reboot) should show up as 1 April 2022 or as 5 April 2022, depending on which patch level your vendor selected.
You can check your Android version by going to the Settings > Android version page.
While you’re about it, check that your apps are up-to-date by opening the Play Store app, tapping on your account icon (the small circle) at the top right corner of the screen, and accessing the Manage apps and device screen.
By the way, despite the imperfections in Google Play, we strongly recommend that you stick to it if you can.
Even though Google doesn’t always keep malware out, the Play Store does have a vetting process that all apps have to go through, as well as a mechanism for keeping installed apps up-to-date reliably…
…which is a lot better than an unknown “alternative” app store open to anyone to submit any app they like, including apps that have already been rejected by Google itself.
Mr Richard Austin
I wonder what percentage of Android phones in use will see this update. Google may do the work, but rely on manufacturers to distribute updates, and the manufacturers usually can’t be bothered after the phone is a couple of years old. At least Microsoft do the work and take responsibility for distributing it through their monthly updates.
It is a disgrace that Android security updates are only for those who are prepared to ditch perfectly usable phones every couple of years.
Kyle
The issue I have is that some developers lock you out of certain regions for “a better experience.” For example, a game might have four releases: Asia, Europe, America, and Global. Global is for countries not region locked, and the rest are region locked for better online experiences (such as lower net latency and reduced multiplayer language barriers).
In my case, I wanted to play a game named Honkai Impact 3 with my South African high school buddy, but can’t because he’s locked to Europe and I’m locked to Asia. So we get a custom app store, pray to god it’s not virussed, and then both install the global version. This has allowed us to coop over 50 hours in the game together. This is not piracy, mind you – it’s a free to play game.
If vendors would just give us more freedom to choose our multiplayer servers, then at least us gamers wouldn’t be in this situation in the first place, which I understand is a huge reason for alternative app stores. An example of a mobile game that does it right is Epic7. Because we may choose our own region, we installed the official Google Play version. Both of us chose the global server from within the app, and have been playing that game together nearly three years now.
Fred
I would rather not apply this security update.
Why would I deliberately cuff myself to a tree in the woods and break the keys?
First I myself use the mentioned vulnerabilities to get root access.
Then I use the newly acquired root access to close the loophole for malicious apps.
I don’t understand people deliberately hardening their devices against themselves.
Bad actors will always find ways to exploit your device, and you don’t always need root to do nasty theft of data.
The Google Play Store is rife with PII data-stealing applications accidentally approved by Google & installed by millions.
But somehow it’s totally a big no-no to install a third-party mod APK that removes such invasive tracking.
Even if you carefully make sure to get it from a reputable source & a known mod author.
All these security updates do is punish & penalize the genuine device owner.
All while criminals don’t give two hoots and find ways to even publish malware on the official Play Store.
This ends up teaching people who felt scammed to disable updates & keep using old versions.
Especially when for example a printer update fixes a security flaw but also blocks all the third-party ink cartridges for no reason.
We very often see people asking ‘will this update block cheaper ink?’ instead of asking how to update.
Kinda like countries law.
Why make heavily restrictive laws that criminals don’t care to respect anyway?
Outlaws are outside the grip of law.
Criminals don’t care about the law.
Laws themelves only apply to those who respect the law.
Why not make murder illegal? Ah, it already is!
But laws aren’t magical spells so outlaws don’t care about them to begin with.
Only the jail time applies to those who don’t respect the law, if they get caught to begin with.
Laws cannot stop crime. It’s not magic spells.
Laws can only punish those who commit crime with jail time after the crime has already been commited.
And laws can only do this if the crime author is found.
We cannot jail people for a crime that they did not commit yet.
At best we can give a much lesser sentence after proving intent to commit a crime.
Make root access illegal and only criminals will have root access.
Make strong cryptography illegal and only criminals will be able to protect their data.
Shooting yourself in the foot in the same of security isn’t the solution.
Just like with spyware on the Google Play:
Google could very well instead add a built-in Firewall app to Android.
This way you block Internet access to apps that don’t deserve it but are needed for your workflow.
They will then think there’s no network available.
And they could also add a better permissions management.
Allowing users to return a fake contacts list or IMEI number if the app is disallowed read-phone-state permissions would be nice, and so on.
These two ideas alone would drastically boost the security level of Android for everyone, not just ROM tweakers.
But instead we always beat down honest Android users to ground.
While bad actors are sitting there watching the endless flow of ‘security updates’ and bypassing them.
Paul Ducklin
Your argument is absurd, because its broader implication is that you should never accept any security updates for any software ever, just in case you need to break into your own phone later on…
…in order to have the freedom patch all the vulnerabilities you didn’t patch earlier.
These updates aren’t about “making root access illegal” – not least because Google’s own phones (the current models, at any rate) can be rooted by choice if you really want, allowing you to install firmware, an operating system and apps of your own. If rooting your phone is important to you, vote with your wallet: don’t buy devices that are locked against rooting. That way you get to update your own device whenever you want, without having to find an exploit for a vulnerability that already exists, and then finding a way to use that vulnerability to install your own patches for all the other vulnerabilities, along with leaving behind a root hole that only you know about to reconfigure the otherwise locked-down parts of the system.
TBH, it sounds as though your main beef is with Google’s own variant of Android, and the Play Store, and the kind of apps you often find there. Seems that the most professional and productive solution for you is simply not to use Google Android, but to choose and use (or create for yourself) an alternative one – there are several well-known ones around. Ironically, perhaps, you may well find that a Google-branded phone is the best choice for that, given that they come with an “OEM unlock” option that allows you to install what you like.
Kyle
I think a big part of that poster’s anger stems from the fact that manufacturers like HTC and Huawei work very hard to lock users out of their own phones. Huawei used to allow unlocked bootloaders on demand via email request, but has since removed all such options. And if you’re caught accidentally bricking your phone because you wanted to secure things yourself, all warranties are void. On a PC, you’d simply reinstall the OS. On phone, you can’t do anything because of the locked bootloader, and have to buy a new phone.
I’m in the camp that has successfully build my own ROMs (phone OS’s) from source for years with insane customizations, and it’s liberating. It’s also soul crushing. Every new phone takes me 4-6 months to get where I want it; stability and device drivers is a huge problem, and unless you’ve used the phone over 12 months without issue, you wonder: have I been missing phone calls because of a buggy implementation.
I myself am truly saddened that tech-capable phone users are treated like morons and locked out of their phones. I understand why: tight control means they have less customer support staff to feed and more freedom around updates. But the fact that doing your own thing is so hard means you’re at the mercy of the corp update cycle, and forced to buy a new phone if they decide you’re end-of-life. It also means optional updates that ruin your experience are non-optional, because they’re mixed in with security patches. Google would have done us a great service keeping update lifecycles the way popular Linux distros do. Instead they created the most insanely complex stack I’ve ever seen (rivaling only kubernetes), creating so much work for even the smallest updates that it’s financially disastrous for OEMs to afford users any update customization.