Google Android RCE Bug Allows Any Wannabe Hacker Full Access To Your Android Smartphone
A Remote Code Execution vulnerability in the Android operating system could give control of your smartphone to hackers. The RCE bug is a critical vulnerability and has its own CVE No.2020-0103. The vulnerability allowed any wannabe hacker to use an App loaded with specially crafted malware to execute the arbitrary code.
It is one of the 39 vulnerabilities in the Android Operating System patched by Google its latest security patch, according to a security bulletin published Monday 4th May 2020. Google Security Bulletin says that it has patched the remote code execution vulnerability in CVE-2020-0103. The CVE is not mentioned on the CVE Mitre site by NVD.
Google says that the 39 vulnerabilities patched in the May Patch are high risk for individuals as well as enterprises and government employees. CVE 2020-0103 is the most critical flaw that is patched in May Patch.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” the company wrote in the bulletin.
Google has released the patch for its Google Pixel and Google Nexus smartphones but other Android smartphones are still vulnerable to these 39 critical flaws. Your Android smartphone could still be at a risk from the RCE bug because the manufacturers are often lethargic to pushing the Google Security Patches to the end customers. However, the potential for exploitation depends on the privilege status of an application, according to the Center for Internet Security’s (CIS’s) advisory on the flaw.
“If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights,” according to the post.
The latest Android Bulletin also lists other vulnerabilities that have been patched with the Android security patch dated May 5. Out of the 39 vulnerabilities, 36 were classified as high-severity, 1 was classified moderate, and 2 were classified as critical. Apart from CVE-2020-0103, the other critical-severity flaw (CVE-2020-3641) was in Qualcomm closed source component, and has not yet been detailed.
Google also patched a critical flaw in Android’s Framework component, CVE-2020-0096, that could enable a local attacker to execute arbitrary code within the context of a privileged process, the company said. The vulnerability was one of three patched in this component, the other two of which had a severity rating of high.
The May Patch also has a fix for four highly critical vulnerabilities in Android’s Media framework; eight highly critical vulnerabilities in Qualcomm components; four highly critical flaws in MediaTek components; and two highly critical vulnerabilities in Android Kernel components.
If you own a Google Pixel or Google Nexus device, you can check here if your Android operating system has been patched.
Google has advised all Android smartphone manufacturers about the vulnerabilities and released patches to them for onward release to smartphone users after testing. Smartphone manufacturers like Samsung who are quick to issue patches and fixes should be able to patch their Android smartphone brands within a month. Others like Xiaomi and OnePlus who are often very slow to test and release the patch would take anywhere between two to three months.
You are advised not to download and install any APK from any website. Download only trusted vendor apps via Google Play Store. You should also disable the feature Allow App Installations from Unknown Sources in your Android smartphone settings. Users should exercise caution and evaluate before visiting un-trusted websites or follow links provided by unknown or un-trusted sources. Many of the above flaws can be executed through email/text message and attachments.