Site icon Sophos News

Google’s monthly Android updates patch numerous “get root” holes

The good news in this month’s Android patches is that even though Google’s own updates close off numerous elevation of privilege (EoP) holes, there aren’t any remote code execution bugs on the list.

The bad news, of course, is that EoP bugs that directly lead to root access, without any tell-tale signs, make it easy for unscrupulous apps to suck up more data, and snoop on more aspects of your online life, that you might ever expect.

With escalate-to-root exploit code hidden inside, even an otherwise perfectly useful but apparently basic app – offering functionality such as a flashlight or a simple compass, for example, or any of thousands of other innocent-looking “cover stories” – could end up being a front for spyware or a data logging tool.

Unfortunately, even Google’s much-vaunted Play Store can’t always keep you malware-free on its own, with untrustworthy apps regularly sneaking through the automated vetting processes that’s supposed to detect software that egregiously oversteps the mark when it comes to privacy, security or both.

Nevertheless, if you go off-market, things can get much more dangerous, not least because there are many unofficial Android app stores out there where pretty much anything goes, including some app repositories that deliberately pitch themselves as a handy place to get at software that Google “doesn’t want you to have”.

Who would do that?

As an aside, you might think that no one would deliberately seek out apps that clearly wouldn’t be permitted on Google Play, or that have already been rejected by Google.

But cybercriminals can even turn “this app’s not in the Play Store” to their advantage, as SophosLabs has reported in the case of the CryptoRom scammers.

These criminals get to know their victims online, often starting on dating sites.

The crooks don’t intend to begin bogus romances, but simply to make “friends” with whom they soon start to talk about cryptocoin investments…

…building up to persuading their victims to install an entirely fraudulent cryptocurrency investment app.

These apps are almost always off-market, but the crooks portray this as a strength, not a weakness, with the apps pitched as “exclusive” precisely because they aren’t available for just anybody to download.

(There’s a parallel scam for iPhone users to trick them into installing fake “business apps” or “beta test” apps, which aren’t strictly vetted by Apple.)

https://nakedsecurity.sophos.com/2021/10/13/romance-scams-with-a-cryptocurrency-twist-new-research-from-sophoslabs/

The risks of root

Usually, Android apps are locked down so that each app runs as if it were an entirely separate user on the device, in the same way that you might have multiple logins on your laptop to share it with your family.

This explicitly limits the files and services that each app can access, so that a buggy or ill-behaved app can’t easily access the data belonging to other apps, in the same way that you can’t read other user’s home directories on a shared laptop, and so that apps don’t have access to any of the operating system’s own files and data.

With every app running in its own sandbox of access permissions, one compromised app can’t simply wander around all your files at will, snooping on whatever it wants, which limits your risk.

Additionally, and unlike your Windows, Mac or Linux laptop, Google Android reserves access to the root, or admininstrator, account, for itself.

On your laptop, you can rootle around in other users’ files if you have Administrator privileges, but on Android, you can’t do that because, by default, you simply can’t get those privileges, even if you want to.

Some Android devices, notably Google’s own Pixel phones, allow you to unlock your device to install any operating system or software you like, such as a non-Google Android version where users are allowed to request and receive root access, just as they can on a regular laptop. But you need physical access to the device to set it into “rootable” mode, and every time you turn this setting on or off, the data already on the device gets wiped. This stops you “rooting” an existing Google Android phone and recovering protected data that was on there before, and it stops you preparing a pre-rooted substrate on which to layer an apparently locked-down version of Androind later.

What’s been fixed?

Google’s updates are enumerated in its April 2022 Security Bulletin, which lists numerous EoP flaws in the Android application framework (the underlying system programming libraries that other apps rely on), and some in the system itself.

This month, Google is offering phone vendors two different update levels, dubbed 2022-04-01, which apparently fixes the most pressing bugs, and 2022-04-05, which includes fixes for additional security holes.

As the company notes, “[this month’s] bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly,” which seems to suggest that Google would rather have many or most vendors fixing at least some bugs than having only some vendors patching all bugs.

Nevertheless, Google does make it clear that a full patch is greatly preferred: “Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.”

The 2022-04-01 patch level fixes eight EoP bugs in total, seven in the Android programming libraries, and one in the system itself.

The company notes that these bugs “could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.”

The more rigorous 2022-04-05 patch level adds protection against a further four EoP bugs, including a system-level vulnerability with a warning that, if unpatched, the hole “could lead to local escalation of privilege from the Guest account with no additional execution privileges needed. User interaction is not needed for exploitation.”

What to do?

Users of Google’s own Pixel phones can update right now, without waiting for their turn in the automated update delivery queue, by going right now to Settings > Security > Security Update.

(We just updated our Pixel 4a; he update itself was listed as a miserly 11.4MB download, but the installation process took nearly an hour once the almost-instantaneous download had completed, so don’t lose faith if you update and it takes worryingly longer than you were expecting!)

Owners of other phones may not receive the update immediately; when you do, your security update level after the update (and its compulsory reboot) should show up as 1 April 2022 or as 5 April 2022, depending on which patch level your vendor selected.

You can check your Android version by going to the Settings > Android version page.

While you’re about it, check that your apps are up-to-date by opening the Play Store app, tapping on your account icon (the small circle) at the top right corner of the screen, and accessing the Manage apps and device screen.

By the way, despite the imperfections in Google Play, we strongly recommend that you stick to it if you can.

Even though Google doesn’t always keep malware out, the Play Store does have a vetting process that all apps have to go through, as well as a mechanism for keeping installed apps up-to-date reliably…

…which is a lot better than an unknown “alternative” app store open to anyone to submit any app they like, including apps that have already been rejected by Google itself.


Exit mobile version