Tag: android security

CERT-In Warns of Over 50 Security Flaws Affecting Android Smartphones: All You Need to Know

CERT-In — or Indian Computer Emergency Response Team — has warned of several security vulnerabilities affecting multiple versions of Android. These security flaws, if exploited by a malicious user, could be used to execute dangerous code, collect sensitive data, and launch a denial-of-service (DoS) attack on a victim. The security vulnerabilities affect three major versions of Android, across various parts of Google’s operating system (OS) — from the framework to components from Arm, MediaTek, Qualcomm, Unisoc, and others, according to the cybersecurity agency.

In a vulnerability note issued earlier this week, CERT-In lists out 51 security flaws affecting the Android OS. The nodal agency responsible for dealing with cybersecurity issues and threats has issued a critical severity rating for the vulnerability note. All the entries listed by CERT-In have been assigned a Common Vulnerabilities and Exposures (CVE) number.

According to CERT-In, these vulnerabilities affect Android 13, Android 12, Android 12L, and Android 11. It is currently unclear whether Android 14 is also affected as the source code for Android 14 was published a few days before the advisory was issued.

The 51 security flaws listed by CERT-In affect various parts of the Android operating system from the Android framework, the Android system, and Google Play system updates. Meanwhile, software for components not directly controlled by Google, including those from Arm, MediaTek, Unisoc, and Qualcomm, are also affected by these vulnerabilities.

Attackers who exploit these flaws could potentially elevate their privileges on a target’s smartphone, execute arbitrary (and malicious) code, extract sensitive information, and even perform a denial-of-service (DoS) attack, according to CERT-In.

Two of these flaws — CVE-2023-4863 and CVE-2023-4211 — could be actively exploited by attackers, and users should apply security patches “urgently”, according to the agency. These flaws relate to the Chromium engine that powers Google’s browser, and GPU memory processing operations on Android, respectively.

Users running on Pixel smartphones can install the latest update that includes the October security patches. Unfortunately, users who own smartphones from other manufacturers will have to wait until a security update is released along with fixes for these security flaws. 

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Millions on Android Devices Exposed by Unpatched Apple Lossless Codec Flaw: Researchers

Security flaws in an audio codec have been uncovered by security researchers, putting millions of Android phones and other Android devices powered by chipsets from MediaTek and Qualcomm at risk of being compromised by hackers. Stemming from an codec created by Apple several years ago, the vulnerabilities were left unpatched since the company open-sourced the codec 11 years ago, for inclusion on non-Apple devices. By leveraging the security flaws, an attacker could remotely get access to an Android phone’s media and audio conversations, according to the researchers.

According to a report by researchers at Check Point Research, a flaw in the Apple Lossless Audio Codec (ALAC) from Apple allows an attacker to perform a remote code execution (RCE) attack on a target smartphone, after sending a malformed audio file. An RCE attack can allow the attacker to gain control of multimedia on the handset, including streaming video from the cameras, accessing media and user conversations.

The security flaws were discovered in Apple’s ALAC codec, which was open-sourced by the company in 2011 — allowing non-Apple devices to stream music in ‘lossless’ quality using Apple’s previously proprietary codec. However, while Apple patched the proprietary version of the ALAC codec, the open-source version remained unpatched, according to the researchers.

As a result, Qualcomm and MediaTek, chipset manufacturers who ported the vulnerable ALAC codec to their audio decoders, resulting in over two thirds of all smartphones sold in 2021 being vulnerable to the security flaws, dubbed “ALHACK”, according to the researchers. The vulnerabilities were responsibly disclosed to Qualcomm and MediaTek, who both acknowledged the issues and assigned Common Vulnerabilities and Exposures (CVE) for the flaws. MediaTek assigned CVE-2021-0674 and CVE-2021-0675 (with ‘Medium’ and ‘High’ ratings, respectively), while Qualcomm assigned CVE-2021-30351 (with a ‘Critical’ rating of 9.8 out of 10) for the ALAC flaws, before patching them.

According to the researchers, both companies have issued patches for the flaws included in the December 2021 Android security bulletin, which means that users with smartphones that received the December security patches should be safe from the vulnerabilities. However, this leaves out millions of users running outdated software, or users who receive erratic security updates — putting them at risk of being compromised by attackers.

Check out our Latest News and Follow us at Facebook

Original Source

Exit mobile version