Home Tech Google Fixes Critical Android Security Vulnerabilities

Google Fixes Critical Android Security Vulnerabilities

Google Fixes Critical Android Security Vulnerabilities

Google has released the Android Security Bulletin for February 2025, which documents the weaknesses of the mobile operating system that its developers have eliminated in the open-source texts. The bulletin also includes security patches from the Linux kernel and safety-relevant bug fixes from chip manufacturers. For its Pixel devices, Google publishes a separate report with stuffed security gaps, but often with some delay.

The closed security gaps are usually spread over two so-called patch levels. The first, 2025-02-01, contains the closed AOSP gaps (Android Open Source Project). In Patch Level 2025-02-05, the resolved gaps in the Linux kernel and in the chipsets of different suppliers are documented. The latter always only affect some of the Android devices because their manufacturers install different hardware components. Accordingly, Google obliges the manufacturers to implement the matching security patches.

For the patch level 2025-02-01, the security bulletin shows 23 eliminated security gaps in the core components of the operating system in February. There are 17 of them in the framework, five in the system, and one in the platform. Google classifies all of these gaps as a high risk, but RCE weak spots (RCE: Remote Code Execution) are not among them. The use of most weak points could provide an attacker extended local rights. None of the vulnerabilities have so far been used for attacks – as far as known.

Security updates will be distributed as part of the Mainline project to close the CVE-2024-49723 data leak in the security module Conscrypt. These updates are intended for devices that no longer receive manufacturer support.

For the hardware-related patch level 2025-02-05, the February bulletin also lists 23 stuffed gaps. Here, however, there is a 0-day gap below. It is about the weak point CVE 2024-53104 in the kernel. The sub-component affected is UVC (USB video camera). Google classifies this EOP gap (Elevation of Privilege) as a high risk and oracles, there are indications that the gap for “limited, targeted” attacks would be used.

All weaknesses except for one are shown as a high risk. They are distributed to components of the chip suppliers ARM (Mali GPU), Imagination Technologies (PowerVR GPU), MediaTek, Unisoc, and Qualcomm. A gap in the WLAN component from Qualcomm (CVE-2024-45569) is classified as critical.

The separate bulletin for Google’s Pixel devices has not yet been published. Google often only publishes it days after the Android Security Bulletin.

The number of smartphone and tablet manufacturers who provide more or less regular security updates for their devices has increased in recent years, but there is still a lot of room for improvement. All the more as some manufacturers only offer monthly updates for their expensive top models. While Samsung delivers the updates promptly, sometimes even ahead of Google, other manufacturers are lagging behind for several weeks (or longer).

Information on device updates by manufacturer can be found on the following websites:
– Fairphone: https://support.fairphone.com/hc/en-us/sections/9114520705553-Software-Updates-Information
– Gigaset: https://service.gigaset.com/de/support/solutions/articles/75000058126-software-update-android-version-update-support-ende
– Google (Pixel devices): https://source.android.com/docs/security/bulletin/pixel
– Huawei: https://consumer.huawei.com/de/support/bulletin/
– Lenovo (smartphones, tablets): https://support.lenovo.com/de/de/solutions/ht501098-android-upgrade-matrix
– LG: https://lgsecurity.lge.com/bulletins/mobile
– Motorola (Lenovo): https://de-de.support.motorola.com/app/software-security-update_link/g_id/6853
– Nokia (HMD Global): https://www.nokia.com/phones/en_int/security-updates
– OnePlus: https://security.oneplus.com/en/home
– Oppo: https://security.oppo.com/en/mend
– Samsung: https://security.samsungmobile.com/securityUpdate.smsb
– Sony: https://xpericheck.com/
– Vivo: https://www.vivo.com/en/security

No Comments

Leave A Reply

Please enter your comment!
Please enter your name here

Exit mobile version