Google has confirmed a critical security threat for Android 8, 9 and 10 users that could permanently … [+]
The December 2019 Android Security Bulletin has been published by Google and contains details of several vulnerabilities within the Android operating system. In total, three vulnerabilities have been given a critical rating. However, Google has highlighted one of these as being “the most severe,” and for very good reason: a single maliciously crafted message could “cause a permanent denial of service.” If you tend to hang fire when the “a software update is available” notification lands on your Android smartphone, you might want to hit the “yes” button a bit quicker on this occasion. In fact, I’d recommend installing the December security update just as soon as it is available to you. Unfortunately, not all Android devices receive these security updates, and those that do don’t necessarily get them as quickly as they should.
Android security threats
It has not, truth be told, been the greatest few weeks for Android users when it comes to security. First, there was a vulnerability that could allow an attacker to take control of the Google and Samsung camera apps and remotely snap photos and record audio. This jaw-dropping threat had the potential to impact hundreds of millions of Android users. Then, in short order, came the news that a new text messaging update using Rich Communication Services (RCS) could expose users to a hacking risk, and the “StrandHogg” vulnerability that could grant hackers access to your text messages and photos as well as the ability to steal your log in credentials. Now comes the news, confirmed by Google in the latest Android Security Bulletin, that a critical vulnerability exists that could remotely execute a “permanent” denial of service attack on your Android device by using a specially-crafted message.
What is the CVE-2019-2232 permanent denial of service Android vulnerability?
CVE-2019-2232 has been rated as the most severe of three critical vulnerabilities addressed in the December Android Security Bulletin. The official NIST National Vulnerability Database description of the vulnerability says that improper input validation in the “handleRun of TextLine.java” could create a “possible application crash.” In other words, a maliciously-crafted message could cause a denial of service to your Android device. A permanent denial of service attack that could effectively kibosh your smartphone. “User interaction is not needed for exploitation,” the description continues, and the remote denial of service attack needs “no additional execution privileges,” for good measure.
The vulnerability applies to Android 8.0, Android 8.1, Android 9 and Android 10 versions.
How can you mitigate this critical Android security threat?
The good news is that fixes for CVE-2019-2232 and the other security vulnerabilities disclosed in the December 2019 Android Security Bulletin have already been released to the Android Open Source Project (AOSP) repository.
The bad news is that when, and indeed if, you will get the update depends upon the manufacturer of your device. Samsung, for example, has said that it “is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.” However, I have recently bought a Galaxy Note 10+ 5G, as flagship a device as Samsung has currently, and it is yet to receive the December security update. Samsung stated that “while we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.”
Users of Google Pixel devices, as you might imagine, will receive the updates more quickly. “Google devices start receiving OTA updates on the same day the monthly bulletin is released,” Google said. “In general,” the Google statement continues, “it takes about one and a half calendar weeks for the OTA to reach every Google device.”
While owners of newer devices from larger manufacturers will receive the security update sometime soon, those with older Android devices and ones from more obscure brands may not get it at all.
You can determine if you have been protected against this critical threat by checking your security patch level. To do this, look for the “About Phone” option in your device settings menu.
I will finish by quoting the advice given to me by Ian Thornton-Trump, a cyber threat intelligence expert and member of the infosecurity education collective known as The Beer Farmers: “If you can’t update the device due to age or a lack of manufacturer support it’s time for a new device.”