Android Security Bulletin + Other vulnerabilities!

Android's security bulletin process

....
Normally, there are two security bulletins at the beginning of the month. The bulletin dated the 1st of the month covers bugs in AOSP, which are fixed directly by Google. These are generally going to be easier to implement on devices because only Google and the OEM are involved. Not every security vulnerability happens exclusively in AOSP, though—sometimes a bug exists in the proprietary code controlled by various component vendors that produce the SoCs, Wi-Fi modules, and other components in a device. Since these patches are the responsibility of the vendor (Qualcomm, Broadcom, Nvidia, etc) and require coordination with Google and the OEM, they can take longer to fix. These bugs therefore get filed to a second security bulletin, dated the 5th of the month.
....

....
Users can see what patch level they're on via the "Android security patch level" field on the "About Phone" screen. Bulletin releases like "2017-11-06" will be reformatted to "November 6th, 2017," and each release date covers the vulnerabilities in the previous releases. This month, users will get a monthly security patch, but it might be dated November 5th, and therefore not have the KRACK fix. Unless you see "November 6th, 2017" in your "About Phone" screen, your phone isn't patched for KRACK.
...

Android is on billions of devices worldwide, and new vulnerabilities are discovered every day. Now, an exploit discovered by MWR InfoSecurity details how applications in Android versions between 5.0 and 7.1 can trick users into recording screen contents without their knowledge.

It involves Android’s MediaProjection framework, which launched with 5.0 Lollipop and gave developers the ability to capture a device’s screen and record system audio. In all Android versions prior to 5.0 Lollipop, screen-grabbing applications were required to run with root privileges or had to be signed with special keys, but in newer versions of Android, developers don’t need root privileges to use the MediaProjection service and aren’t required to declare permissions.

On the user-facing side of things, MWR InfoSecurity adds that this attack is not completely undetectable. The report states:

“When an application gains access to the MediaProjection Service, it generates a Virtual Display which activates the screencast icon in the notification bar. Should users see a screencast icon in their devices notification bar, they should investigate the application/process currently running on their devices.”

A newly discovered piece of Android malware carries out a litany of malicious activities, including showing an almost unending series of ads, participating in distributed denial-of-service attacks, sending text messages to any number, and silently subscribing to paid services. Its biggest offense: a surreptitious cryptocurrency miner that's so aggressive it can physically damage an infected phone.

biebiebie wrote: »

Great info for those who have an interest in security (average Joe doesn't imho).

Great if you have a Google phone.
Not so bad if you have an Android One phone.

And the rest ? Eg I have a Moto and get security updates every quarter!

Samsung is once a month as far as I can see.

What about other manufacturers?

.....

Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches.

.....

Given that kind of hidden inconsistency, "it's almost impossible for the user to know which patches are actually installed," Nohl says. In an effort to solve that missing patch transparency problem, SRL Labs is also releasing an update to its Android app SnoopSnitch that will let users check their phone's code for the actual state of its security updates.

......

ED E wrote: »

Came to post that.

Wonder how the ROMing community compares.

Some big OEM brands listed

These vulnerabilities were discovered in both the default apps that come preinstalled on some devices by default (and are sometimes unremovable), but also in the firmware of core device drivers that can't be removed without losing some of the phone's functionality, if not access to the device as a whole.

US mobile and IoT security firm Kryptowire unearthed these vulnerabilities as part of a grant awarded by the Department of Homeland Security (DHS).

The smartphone brands (OEMs) included on Kryptowire's list include big names such as ZTE, Sony, Nokia, LG, Asus, and Alcatel, but also smaller companies such as Vivo, SKY, Plum, Orbic, Oppo, MXQ, Leagoo, Essential, Doogee, and Coolpad.

"With the hundreds of mobile phone makes and models on the market and thousands of versions of firmware, best-effort manual testing and evaluations simply cannot scale to address the problem of identifying vulnerabilities in mobile phone pre-installed apps and firmware," said Angelos Stavrou, CEO of Kryptowire, in a press release also announcing the release of a new enterprise-targeted platform for automatically testing the firmware and apps of Android mobile devices.