Android Security Bulletin + Other vulnerabilities!

corkie

Android Security Bulletin—November 2017

Pixel / Nexus Security Bulletin—November 2017

The above bulletins, usually get published on the first Monday (not on a holiday) of the month! They can be found here. (Sometimes posted on a Tuesday, if Monday is a holiday). Usually around 18 Hours GMT.

The get release around the same time as factory/OTA images for nexus and pixel devices.

Which also have an additional bulletin available here.

This month we have the KRACK vulnerability patched.


The security patches have two levels, and if your finding device/rom is only patching to the first level, then either your device doesn't need the second level patches or the maintainer of the rom/device is just been lazy. This month we have 3 levels, third including the KRACK patch.


For custom roms patches can take anything from 48 hours to a week to be release to AOSP. So depending on the release schedule of your rom, you may not see the patches until up 2 weeks later.

Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

OEM's are notified a month in advance of these patches, so if you see that patches or at all, depends on the manufacturer of your device.



Normally I post the security bulletins link's in the Android Version Factory Image thread, but since I no longer have device that get these (nor do I see myself getting a google device in the foreseeable further), hence this thread.



Other vulnerabilities!

KRACK and Blueborne are, in my opinion, over hyped security risks. And they where quickly patched in customs roms, such as Lineage OS, before google release the patches this month for the Nexus/Pixel devices. Nexus 6 & 9 support ended last month and probably won't receive the KRACK patch on official rom (has not yet anyway).



Why this thread?

Partially surprised a thread like this didn't already exist. Hopefully it can be a catch all thread for security issues and would be more applicable to more than just the factory image threads.

Please share your thoughts.

NTC

Thanks for this, I did not realize that android had a 'patch monday'

corkie

@NTC - Your welcome.

AOSP patches have been published, so any custom roms (i.e. LOS) made available after tomorrow(9th) should have the patches.

corkie

Pixel won’t get KRACK fix until December, but is that really a big deal?

Android's security bulletin process

....
Normally, there are two security bulletins at the beginning of the month. The bulletin dated the 1st of the month covers bugs in AOSP, which are fixed directly by Google. These are generally going to be easier to implement on devices because only Google and the OEM are involved. Not every security vulnerability happens exclusively in AOSP, though—sometimes a bug exists in the proprietary code controlled by various component vendors that produce the SoCs, Wi-Fi modules, and other components in a device. Since these patches are the responsibility of the vendor (Qualcomm, Broadcom, Nvidia, etc) and require coordination with Google and the OEM, they can take longer to fix. These bugs therefore get filed to a second security bulletin, dated the 5th of the month.
....

....
Users can see what patch level they're on via the "Android security patch level" field on the "About Phone" screen. Bulletin releases like "2017-11-06" will be reformatted to "November 6th, 2017," and each release date covers the vulnerabilities in the previous releases. This month, users will get a monthly security patch, but it might be dated November 5th, and therefore not have the KRACK fix. Unless you see "November 6th, 2017" in your "About Phone" screen, your phone isn't patched for KRACK.
...

corkie

Android security: Sneaky three-stage malware found in Google Play store

Another crop of Android apps hiding malware have been discovered in - and removed from - the Google Play store.

Researchers at ESET discovered eight apps available to download via Google Play which all carried Trojan Dropper, a form of malware which allows attackers to drop additional malicious payloads ranging from banking trojans to spyware.

Disguised as apps including news aggregations and system cleaners, the apps looked legitimate but hid their malicious properties with the help of obfuscation and delaying the installation of the payload.

Multi-Stage Android Malware Evades Google Play Detection

A newly discovered multi-stage Android malware that managed to sneak into Google Play is using advanced anti-detection features, ESET security researchers reveal.

Eight malicious applications hiding the new threat were found in the official application store, all legitimate-looking but delaying the malicious activity to hide their true intent. Google has removed all eight programs after being alerted of the threat.

Detected as Android/TrojanDropper.Agent.BKY, the applications form a new family of multi-stage Android malware, ESET says. Although the most popular of these apps reached only several hundred downloads, the use of advanced anti-detection features makes this malware family interesting.

Both of the above links are discussing the same malware!

corkie

New Android Vulnerability Tricks Users Into Recording Their Screen

Android is on billions of devices worldwide, and new vulnerabilities are discovered every day. Now, an exploit discovered by MWR InfoSecurity details how applications in Android versions between 5.0 and 7.1 can trick users into recording screen contents without their knowledge.

It involves Android’s MediaProjection framework, which launched with 5.0 Lollipop and gave developers the ability to capture a device’s screen and record system audio. In all Android versions prior to 5.0 Lollipop, screen-grabbing applications were required to run with root privileges or had to be signed with special keys, but in newer versions of Android, developers don’t need root privileges to use the MediaProjection service and aren’t required to declare permissions.

On the user-facing side of things, MWR InfoSecurity adds that this attack is not completely undetectable. The report states:

“When an application gains access to the MediaProjection Service, it generates a Virtual Display which activates the screencast icon in the notification bar. Should users see a screencast icon in their devices notification bar, they should investigate the application/process currently running on their devices.”

Beware! New Exploit On Android Tricks Users Into Recording Screen Content Without Consent

corkie

Android Security Bulletin—December 2017


Pixel / Nexus Security Bulletin—December 2017

Note: The Google device firmware images will be available on the Google Developer site on Tuesday, December 5th.

Last months security patches didn't reach LineageOS until the week starting the 20th of November. So as stated in OP, they can take up to 2 weeks to be applied. KRACK was patched well in advance of the bulletin.



Posting this news as a reminder for anyone flashing custom roms, TWRP 3.2.0-0 Released!



Other Security News : -

Google has been tightening up the rules for what apps are allowed to do: -

Google will remove Play Store apps that use Accessibility Services for anything except helping disabled users


Google finally bans apps that include shady lock screen ads from the Play Store


Google Safe Browsing will soon require apps with personal user or device data to provide a privacy policy, trigger warnings if they don't


Some apps if they don't follow Accessibility Services rules will be removed from the appstore, so no longer will be able to update (or even may stop working).

Happy Holidays!

corkie

Currency-mining Android malware is so aggressive it can physically harm phones


Trojan.AndroidOS.Loapi

A newly discovered piece of Android malware carries out a litany of malicious activities, including showing an almost unending series of ads, participating in distributed denial-of-service attacks, sending text messages to any number, and silently subscribing to paid services. Its biggest offense: a surreptitious cryptocurrency miner that's so aggressive it can physically damage an infected phone.

Google improving app security, performance w/ Android version target & 64-bit requirements




LineageOS had December Patches applied in last weeks roms.

corkie

Android Security Bulletin—January 2018


Pixel / Nexus Security Bulletin—January 2018


Factory and OTA Images also available for supported devices.

Note: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754, a set of vulnerabilities related to speculative execution in processors, have been publicly disclosed. Android is unaware of any successful reproduction of these vulnerabilities that would allow unauthorized information disclosure on any ARM-based Android device.

To provide additional protection, the update for CVE-2017-13218 included in this bulletin reduces access to high-precision timers, which helps limits side channel attacks (such as CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754) of all known variants of ARM processors.

We encourage Android users to accept available security updates to their devices. See the Google security blog for more details.

Google Blog: - Today's CPU vulnerability: what you need to know -- January 3, 2018

HAPPY NEW YEAR!

corkie

Android Security Bulletin—February 2018


Pixel / Nexus Security Bulletin—February 2018

Edit: - [XDA] February Android and Pixel Security Bulletins are Live with Factory Images and OTAs


Note: - Even with a device that was patched to 2018-01-05 (January), you may not have had the kernel patches for Spectre and Meltdown.

Only latest Google/OEM devices on official roms probably have the patches applied.


Under LineageOS only 1 Kernel (2 similar devices) had the kernel patches applied. With 4 Devices unaffected. Based on the poorly maintained cve pages.

Vahevala

The security patches are so slow for older devices. I am still on 1st December security patch. Oh well

OldMrBrennan83

This post has been deleted.

corkie

Android Security Bulletin—March 2018


Pixel / Nexus Security Bulletin—March 2018


[XDA] Android and Pixel Security Bulletins for March are Now Available with OTA and Factory Images




New 4G LTE Network Attacks Let Hackers Spy, Track, Spoof and Spam

corkie

Android Security Bulletin—April 2018

Pixel / Nexus Security Bulletin—April 2018



[XDA] Android Security Bulletin for April is Now Available with OTA and Factory Images

biebiebie

Great info for those who have an interest in security (average Joe doesn't imho).

Great if you have a Google phone.
Not so bad if you have an Android One phone.

And the rest ? Eg I have a Moto and get security updates every quarter!

Samsung is once a month as far as I can see.

What about other manufacturers?

corkie

biebiebie wrote: »

Great info for those who have an interest in security (average Joe doesn't imho).

Great if you have a Google phone.
Not so bad if you have an Android One phone.

And the rest ? Eg I have a Moto and get security updates every quarter!

Samsung is once a month as far as I can see.

What about other manufacturers?

Good and reliably maintained Custom roms usually get update monthly as well.

But depending on the maintainers and age of the device, kernel level patches can be left lacking.

My Redmi Note 3 and Nexus 9, running LineageOS 14.1 have not been patched for Spectre (Kernel patch from January). N9 might not be affected. Even thought the devices have the latest patch string.

And Kenzo maintainer has abandon the device. But other developers are try to get Official status so there is hope yet.


As you said this thread is provided more as information to say the Bulletin has been posted for people who care. But to the average JOE allot of this is probably double dutch as far as they are concerned

corkie

[XDA] Google is Possibly Splitting the Android Security Patch Levels for Faster Security Updates

.....
Now, it appears that the company may be making changes to the Android Security Patch system by providing a way to distinguish between the Android framework patch level and the vendor patch level along with the bootloader, kernel, etc. to either split the security patch levels so OEMs can provide pure framework updates or better identify to the user what patch level they are running.
.....

corkie

[WIRED] How Android Phones Hide Missed Security Updates From You

.....

Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches.

.....

Given that kind of hidden inconsistency, "it's almost impossible for the user to know which patches are actually installed," Nohl says. In an effort to solve that missing patch transparency problem, SRL Labs is also releasing an update to its Android app SnoopSnitch that will let users check their phone's code for the actual state of its security updates.

......

SnoopSnitch <<< Apk Playstore


[9to5google] How to check if your phone is missing security patches with ‘SnoopSnitch’

^^^ Note: - you can click on a date to see security patches missing and the app only check patches up to December 2017.

ED E

Came to post that.

Wonder how the ROMing community compares.

corkie

ED E wrote: »

Came to post that.

Wonder how the ROMing community compares.

Don't know much about the state of other custom roms, but depending on device, LineageOS (Official) has been lacking in Kernel Level Patches for a good while, even with the latest security patch string.

Going by the badly maintained CVE Pages, Spectre has only been patched for a few devices.

Also could be the reason the limited devices have got 15.1, Spectre patches maybe a requirement of there LDSR (LineageOS Device Support Requirements).

https://cve.lineageos.org/kernels


Some more discussion on reddit about the article.

corkie

Update on the Snoopsnitch App. <<<< Use at your own risk!

As already stated the app only looks at patches up to Dec 2017.

Also it only checks userland patches and not Kernel, Vendor or firmware patches.

Last week there was hype around the security patches. Followup article about SnoopSnitch App.

Remember that mobile security companies only want to sell you something
A company who wants your money just might say anything to get it.


The app is also very intrusive if you use it's StingRay features. Which has also been proved useless.


Those Free Stingray-Detector Apps? Yeah, Spies Could Outsmart Them


Those 'stingray' detector apps are basically useless, say researchers



I got caught up in the hype of the article last week and shared the information here without proper research.

Another long thread on /r/LineageOS about it.
^^^ OP comment proven false as well.

corkie

Android Security Bulletin—May 2018



Pixel / Nexus Security Bulletin—May 2018

corkie

Android Security Bulletin—June 2018




Pixel / Nexus Security Bulletin—June 2018




Sorry for delayed posting, was not expecting them tonight due to holiday.

corkie

Android Security Bulletin—July 2018




Pixel / Nexus Security Bulletin—July 2018



Posts and discussion about the below in the apps thread.


Android WARNING: Dangerous Google Play Store app

MX Player News! <<< App sold to Indian Company.

jacksie66

This post has been deleted.

OldMrBrennan83

This post has been deleted.

corkie

Android Security Bulletin—August 2018




Pixel / Nexus Security Bulletin—August 2018




Android 9 Pie is available for Google Pixel phones today



Android 9 (Pie) Factory Images (and OTAs) Release



[XDA] Android Pie is here for the Google Pixel & Google Pixel 2


[XDA] Android Oreo’s rollback protection required on phones launching with Android Pie

corkie

Vulnerabilities Found in the Firmware of 25 Android Smartphone Models

Some big OEM brands listed

These vulnerabilities were discovered in both the default apps that come preinstalled on some devices by default (and are sometimes unremovable), but also in the firmware of core device drivers that can't be removed without losing some of the phone's functionality, if not access to the device as a whole.

US mobile and IoT security firm Kryptowire unearthed these vulnerabilities as part of a grant awarded by the Department of Homeland Security (DHS).

The smartphone brands (OEMs) included on Kryptowire's list include big names such as ZTE, Sony, Nokia, LG, Asus, and Alcatel, but also smaller companies such as Vivo, SKY, Plum, Orbic, Oppo, MXQ, Leagoo, Essential, Doogee, and Coolpad.

"With the hundreds of mobile phone makes and models on the market and thousands of versions of firmware, best-effort manual testing and evaluations simply cannot scale to address the problem of identifying vulnerabilities in mobile phone pre-installed apps and firmware," said Angelos Stavrou, CEO of Kryptowire, in a press release also announcing the release of a new enterprise-targeted platform for automatically testing the firmware and apps of Android mobile devices.

corkie

Android Security Bulletin—September 2018





Pixel / Nexus Security Bulletin—September 2018

corkie

Android Security Bulletin—October 2018



Pixel / Nexus Security Bulletin—October 2018

corkie

Android Security Bulletin—November 2018






Pixel / Nexus Security Bulletin—November 2018