Two critical flaws were fixed on Nexus devices via an over-the-air security update.
Two critical Android vulnerabilities were recently disclosed and patched on Nexus devices via an over-the-air security update.
The first, discovered by Google Project Zero researcher Mark Brand, allows an attacker to remotely execute malware or escalate local privileges on exposed phones. Despite its “straightforward” nature, the bug is “extremely serious” and can be spread in a variety of ways, Brand wrote in a blog post.
“It’s interesting that it’s been undiscovered for so long,” he said.
Brand’s exploit works only on an undisclosed subset of Nexus handsets, and could not “be used in real-world attacks without substantial modification and even further research,” Google told Ars Technica.
Still, Brand suggested it is present in a number of recent releases. “The provided exploit performs this on several recent Android versions for the Nexus 5x, and is both reliable and fast in my testing,” he said.
According to September’s Android security bulletin, Google has not yet received any reports of active customer exploitation or abuse of these newly reported issues. Still, the company encourages all customers to update their devices when they can.
The same update patches a second vulnerability similar to Stagefright. As reported by Ars, the bug is exploited by hiding malicious code in embedded JPEG image data, then sending the picture via Gmail or Google Talk. The unsuspecting target doesn’t need to click on or open any links to become compromised.
These vulnerabilities were made public around the same time that security firm Checkpoint disclosed two sets of malware planted in Google Play apps. Unveiled in late August, DressCode was allegedly used to spoof ad clicks and generate revenue for the attacker, but can also be applied to breach private internal networks. CallJam, meanwhile, was concealed inside the game Gems Chest for Clash Royale, and includes a premium dialer to generate fraudulent phone calls—but only after receiving permission from the device owner.
Google did not immediately respond to PCMag’s request for comment.