Two critical vulnerabilities were disclosed in a large percentage of Android devices. Meanwhile, malicious apps were downloaded nearly 2.5 million times from Google’s Play Marketplace, a primary platform for Android users to download and update mobile apps.
While the vulnerabilities have been fixed in updates Google began distributing last week, a large percentage of Android phones aren’t eligible to receive the fixes. Even those that do qualify don’t receive them immediately. As a result, attackers may obtain crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.
The first vulnerability was disclosed by Mark Brand, a researcher with Google’s Project Zero security team. Indexed as CVE 2016-3861, it allows attackers to execute malware or escalate local privileges on vulnerable phones. Brand warned that it’s “an extremely serious bug” because it can be exploited in a large variety of ways.
“The bug is quite straightforward, and since it’s quite readily fuzzable, it’s interesting that it’s been undiscovered for so long. The vulnerable code is in libutils, and is in the conversion between UTF16 and UTF8. This code is used in many places, including the android::String8(const android::String16&) constructor.” wrote Brand in a blog post.
The second vulnerability is cataloged as CVE-2016-3862, it can be exploited by sending a maliciously formatted jpeg image. When sent through Gmail or Google Talk, the malicious code is concealed inside Exif data embedded in the image. The target doesn’t need to click on anything to become compromised.The vulnerabilities were made public the same week that security firm Checkpoint disclosed that recently discovered apps, some available since April, had been downloaded from Google Play as many as 2.5 million times.
At this point, it’s best to just get a VPN for your Android device.