In the Android Security Bulletin of May 2021, published at the beginning of this month, you can find a list of roughly 40 vulnerabilities in several components that might concern Android users. According to info provided by Google's Project Zero team, four of those Android security vulnerabilities are being exploited in the wild as zero-day bugs.
The good news is that patches are available. The problem with Android patches and updates though is that you, as a user, are dependent on your upstream provider for when these patches will reach your system.
It is always unclear for Android users when they can expect to get the latest updates and upgrades. An Android device is a computer in many regards and it needs regular refreshes. Either to patch against the latest vulnerabilities or when new features become available.
An update is when an existing Android version gets improved, and these come out regularly. An upgrade is when your device gets a later Android version. Usually a device can function just fine without getting an upgrade as long as it stays safe by getting the latest updates.
Google is the company that developed the Android operating system (which is itself a type of Linux) and the company also keeps it current. It is also the company that creates the security patches. But then the software is turned over to device manufacturers that create their own versions for their own devices.
So, when (even if) you will get the latest updates at all, depends on the manufacturer of your device. Some manufacturerโs devices may never see another update because Google is not allowed to do business with them.
In a note, the bulletin states that there are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663, and CVE-2021-28664 may be under limited, targeted exploitation. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. The four that may be being abused in the wild are:
Use after free (UAF) like CVE-2021-1905 is a vulnerability caused by incorrect use of dynamic memory during a programโs operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.
Snapdragon is a suite of system on a chip (SoC) semiconductor products for mobile devices designed and marketed by Qualcomm Technologies Inc.
Arm Mali GPU is a graphics processing unit for a range of mobile devices from smartwatches to autonomous vehicles developed by Arm.
You can tell whether your device is protected by checking the security patch level.
We would love to tell you to patch urgently, but as we explained, this depends on the manufacturer. Some users who haven't switched to new devices that still receive monthly security updates might even not be able to install these patches at all.
Stay safe, everyone!
The post Android patches for 4 in-the-wild bugs are out, but when will you get them? appeared first on Malwarebytes Labs.