Android phones can be taken over remotely – update when you can

Android phones are vulnerable to attacks that could allow someone to takeover a device remotely without the device owner needing to do anything.

Updates for these vulnerabilities and more are included in Google’s Android security bulletin for December. In total, there are patches for 94 vulnerabilities, including five rated as “Critical.”

The most severe of these flaws is a vulnerability in the System component that could lead to remote code execution (RCE) without any additional execution privileges required. User interaction is not needed for exploitation.

This vulnerability, referenced as CVE-2023-40088, affects a function that is used for Bluetooth communication, so the “remote” part is limited to “close range” since the average Bluetooth range is about 30 feet (10 meters). Successful manipulation with a specially crafted input leads to a use after free vulnerability. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Another critical vulnerability (CVE-2023-40077) that looks problematic is an Elevation of Privilege (EoP) vulnerability in the Android Framework. Successful exploitation could lead to a race condition. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. In this case it could provide a successful attacker with permissions to perform actions they shouldn’t be able to.

Security patch levels of 2023-12-05 or later address all of these issues. To learn how to check a device’s security patch level, see how to check and update your Android version. The updates have been made available for Android 11, 12, 12L, 13, and 14. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors. Android vendors such as Samsung and OnePlus have pledged to release security updates once a month. Google usually ships out security updates to Pixel phones within two weeks or sooner.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.