NCSC proposes new code of conduct for app stores

NCSC proposes new code of conduct for app stores

  

A report from the UK government has laid bare the risks of malicious mobile apps, as lawmakers call for tougher protections for consumers.

The report (PDF), published by the UK National Cyber Security Centre (NCSC), found that “people’s data and money are at risk because of fraudulent apps containing malicious malware created by cybercriminals or poorly developed apps which can be compromised by hackers exploiting weaknesses in software”.

The study, which conducted a review into the app store ecosystem from December 2020 to March 2022, detailed how 87% of UK citizens now own a smartphone, conveying a widespread attack surface.

Read more of the latest security news from the UK

“\[M\]alicious and poorly developed apps continue to be accessible to users, therefore it is evident that some developers are not following best practice when creating apps,” the NCSC claims.

“Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.”

**New rules**

In response to the findings, the government is calling views from the tech industry on enhanced security and privacy requirements for firms running app stores and developers making apps.

Under new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out baseline security and privacy requirements, which the UK says “would be the first such measure in the world”.

RELATED UK government reveals plans to become ‘global cyber power’ in 2022

Developers and store operators making apps available to UK users would be covered including Apple, Google, Amazon, Huawei, Microsoft, and Samsung.

The proposed policy would require stores to have a vulnerability reporting process for each app available. They would also be required to share more security and privacy information in an accessible way, including giving consumers information on matters such as why an app would need access to users’ contacts and location.

NCSC technical director Ian Levy commented: “Our threat report shows there is more for app stores to do, with cybercriminals currently using weaknesses in app stores on all types of connected devices to cause harm.

“I support the proposed code of practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”

**‘Crucial awareness’**

Filip Verloy, EMEA technical evangelist at Noname Security, commented: “These types of initiatives raise crucial awareness of the security issues that we currently face and provide a healthy and necessary debate on the subject. This should prove useful even if it only accomplishes just that.

“However, there are a few flaws to the measures proposed. Firstly, Apple has already made it a point of differentiation to prioritize privacy and security and perform extensive moderation in their app store versus competitors.

“Secondly, there is no such thing as 100% certainty about security when it comes to software, though laying out best practices and increasing scrutiny will certainly help weed out the worst offenders.”

YOU MAY ALSO LIKE UK government employees receive ‘billions’ of malicious emails per year – report

UK government calls for tougher protections against malicious mobile apps

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Emotet made headlines last week for being “back” after a major international law enforcement takedown last year. But I’m here to argue that Emotet never left, and honestly, I’m not sure it ever...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

As Nick Biasini and I covered in a December episode of Talos Takes, these takedowns are always incredibly helpful and a show of strength among the international community. But it doesn’t mean they’re a final nail in the coffin.  

Nick pointed out to me in that Talos Takes that there weren’t any arrests associated with the takedown, so the operators were always still out there ready to come back. And we started seeing Emotet send spam again as soon as nine-ish months after the takedown announcement.  

“In this particular case, we saw a botnet disruption, more than anything else,” Nick said. 

So it really shouldn’t be a surprise to anyone that Emotet is re-loading again. It’s known to go on months-long breaks, usually picking up around major holidays or international events like Black Friday and Cyber Monday. 

I admittedly don’t know enough about the ins and outs of taking down a botnet to say if something like this could ever be permanent or if there ever really is a way to truly end it for good. But if Emotet goes quiet for another few months and then magically pops up again in September, no one should be surprised. 

Take Silk Road, an infamous dark website for drug trade, needed three international takedown efforts over two years to truly shut down the site and stop any predecessors from popping up, even after its initial founder was arrested. 

As all these threats have shown us, as defenders, we can never let our guard down that a threat is ever truly gone no matter how impressive a press release sounds.  

**The one big thing **

Our researchers recently studied a trove of leaked chat logs between the Conti and Hive ransomware operators and their victims. From them, we learned more about how the groups choose their victims, how a triple-extortion attempt usually goes down and more about the inner workings of these actors. In our latest research paper, we run through these findings and provide a look into these chats so other security researchers and potential targets can be more prepared to fight these groups and spot their weaknesses.  

> **Why do I care? **
> 
> The chats we studied are completely new from the Conti leaks from earlier this year, so we continue to learn more about this group as time goes on. For starters, victims should take away from this research that if the plan is to pay the ransom, never take the actor’s first offer, they almost always reduce their asking price over time. We now know more about these groups’ negotiating tactics, which can be helpful for anyone who may be a future target or victim of these groups.  
> 
> **So now what? **Pretty much the same as always if the goal is to never be hit with one of these ransomware attacks. This is a reminder to all organizations to implement a strong patch management system and keep all systems up to date. Organizations should also perform general system hardening that includes removing services or protocols running on endpoints where they are unnecessary. 

**Other newsy nuggets **

For many years, Russia was viewed as off-limits for cyber attacks over the risk of potential retaliation. But after the country’s invasion of Russia, the floodgates have opened to hactivists and volunteers who are hitting the country’s networks at an unprecedented rate. Even some ransomware groups have gotten in on the action. Even early in the invasion, Russia suffered a major setback because actors in Belarus disrupted the country’s railway system that was still relying on Windows XP, slowing down Russia’s supply lines and potentially staving off an invasion of Kyiv, the country’s capital. (Washington Post, Wired, ComputerWorld) 

Users can now opt-out of having their personal information appear in Google search results. The search engine recently loosened its policies on this opt-out. Previously, users had to show a threat of doxxing or other harm that could come to them should something like their phone number, address or email show up when you searched their name. Now, the company says people can ask for their information to be removed even if there is no clear risk. This is not a catch-all step to protecting your identity online, but it’s a solid start for anyone looking to be more privacy-conscious. (NPR, CNET) 

A Chinese state-sponsored actor has been snooping on more than 30 major companies’ networks for more than two years to steal intellectual property. Security researchers say the APT41 threat actor used what they dubbed "Operation Cuckoo Bees” to steal trillions of dollars' worth of everything from engineering blueprints to experimental diabetes treatments and solar panel designs. As of this week, the campaign is still ongoing. (SC Magazine, CBS News) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #94: Everything you need to know about the BlackCat ransomware group
*   Vulnerability Spotlight: Two vulnerabilities in Accusoft ImageGear could lead to DoS, arbitrary free
*   Threat Roundup for April 22 - April 29

**Upcoming events where you can find Talos ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:** df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:** DOC001.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1    **MD5:** 3e10a74a7613d1cae4b9749d7ec93515**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A    **Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426    
**MD5:** a841c3d335907ba5ec4c2e070be1df53  **Typical Filename:** chip 1-click installer.exe    
**Claimed Product:** chip 1-click installer     
**Detection Name:** Win.Trojan.Generic::ptp.cam  

**SHA 256:** 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97   **MD5:** 258e7698054fc8eaf934c7e03fc96e9e   **Typical Filename:** samsungfrp2021.exe     
**Claimed Product:** N/A   **Detection Name:** W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34

Threat Source newsletter (May 5, 2022) — Emotet is using up all of its nine lives

Plus: Microsoft patched some 100 flaws, while Oracle issued more than 500 security fixes.

To find the update, you’ll need to check your device settings. Devices that have received the Android April update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and the Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.

Google Chrome Emergency Updates

As the world’s biggest browser with over 3 billion users, it’s no surprise attackers are targeting Google Chrome. Browser-based attacks are particularly worrying because they can potentially be chained together with other vulnerabilities and used to take over your device.

It has been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, pushed out in mid-April, fixes two issues including a high-severity zero-day vulnerability, CVE-2022-1364, which is already being used by attackers.

The technical details aren’t currently available, but the timing of the fix—just a day after it was reported—indicates it’s pretty serious. If you use Chrome, your browser should now be on version 100.0.4896.127 to include the fix. You’ll need to restart Chrome after the update has installed to ensure it activates.

The Chrome issue also impacts other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you use one of those, make sure you apply the patch.

But that’s not all. On April 27, Google announced another Chrome update, fixing 30 security vulnerabilities. None of these have been exploited yet, the company says, but seven are rated as being a high risk. The update takes the browser to version 101.0.4951.41.

Oracle’s April 2022 Critical Patch Update

In mid-April, Oracle released its quarterly Critical Patch Update, including a whopping 520 security fixes. Some of the issues fixed in the update are serious—300 of them can be exploited remotely without authentication, and 75 security issues are rated as critical severity. Some of the Oracle patches address CVE-2022-22965, aka Spring4Shell, a remote code execution (RCE) flaw in the spring framework.

Microsoft’s Busy April Patch Tuesday

Microsoft had a major Patch Tuesday in April, issuing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.

Reported by the NSA and researchers at CrowdStrike, the issue in the Windows Common Log File system driver doesn’t require human interaction to be exploited and can be used to obtain administrative privileges on a logged-in system. Other notable fixes include CVE-2022-26904—a publicly known issue—and CVE-2022-26815, a severe DNS Server flaw.

Mozilla Thunderbird 91.8.0 Fix

On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. The details are scant, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be exploited to run arbitrary code.

Firefox ESR 91.8 and Firefox 99 also fix multiple security issues.

WordPress Plugin Elementor Version 3.6.3 

The Elementor website builder plug-in for WordPress has received a big security fix in April for a critical-rated vulnerability that could allow attackers to perform remote code execution and effectively take over a website.

Found by researchers at Plugin Vulnerabilities, the flaw was introduced in the plug-in in version 3.6.0, released on March 22. “We would recommend not using this plugin until it has had a thorough security review and all issues are addressed,” the researchers said.

Although the attacker must be authenticated to exploit the issue, it’s still pretty serious because anyone logged into an affected website can exploit it. The update for Elementor’s 5 million users, version 3.6.3, should be applied as soon as possible.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   This startup wants to watch your brain
*   The artful, subdued translations of modern pop
*   Netflix doesn't need a password-sharing crackdown
*   How to revamp your workflow with block scheduling
*   The end of astronauts—and the rise of robots
*   👁️ Explore AI like never before with our new database
*   ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

You Need to Update iOS, Android, and Chrome Right Now

Improper access control vulnerability in S Secure prior to SMR Apr-2022 Release 1 allows physical attackers to access secured data in certain conditions.

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer  
Samsung Electronics (UK) Limited  
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

**Cookies**

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

**Essential Cookies**: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie

Domain

Purpose

JSESSIONID

security.samsungmobile.com

to keep login session

lastActivityTime

security.samsungmobile.com

to save the user's last activity time to automatically logout after 30 minutes of inactivity

**Managing Cookies and Other Technologies**

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

CVE-2022-25831: Samsung Mobile Security

Improper access control vulnerability in FactoryCamera prior to version 2.1.96 allows attacker to access the file with system privilege.

CVE-2022-27838: Samsung Mobile Security

In NotificationStackScrollLayout of NotificationStackScrollLayout.java, there is a possible way to bypass Factory Reset Protections. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-193149550

_Published March 7, 2022 | Updated April 5, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-03-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-03-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-03-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android runtime**

The vulnerability in this section could lead to local escalation of privilege with System execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39689

A-206090748

EoP

Moderate

12

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with User execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39692

A-209611539

EoP

High

10, 11, 12

CVE-2021-39693

A-208662370

EoP

High

12

CVE-2021-39695

A-209607944

EoP

High

11

CVE-2021-39697

A-200813547 \[2\]

EoP

High

11, 12

CVE-2021-39690

A-204316511

DoS

High

12

**Media Framework**

The vulnerability in this section could lead to remote information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39667

A-205702093

ID

High

10, 11, 12

**System**

The most severe vulnerability in this section could lead to remote escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39708

A-206128341

EoP

Critical

12

CVE-2021-0957

A-193149550

EoP

High

10, 11, 12

CVE-2021-39701

A-212286849

EoP

High

11, 12

CVE-2021-39702

A-205150380

EoP

High

12

CVE-2021-39703

A-207057578

EoP

High

12

CVE-2021-39704

A-209965481

EoP

High

10, 11, 12

CVE-2021-39706

A-200164168 \[2\]

EoP

High

10, 11, 12

CVE-2021-39707

A-200688991

EoP

High

10, 11, 12

CVE-2021-39709

A-208817618

EoP

High

12

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Media Codecs

CVE-2021-39667

**2022-03-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-03-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Framework**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39694

A-202312327

EoP

High

12

**Kernel components**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2020-29368

A-174738029  
Upstream kernel

EoP

High

Kernel Memory Management

CVE-2021-39685

A-210292376  
Upstream kernel \[2\] \[3\]

EoP

High

Linux

CVE-2021-39686

A-200688826  
Upstream kernel \[2\] \[3\] \[4\]

EoP

High

Binder

CVE-2021-39698

A-185125206  
Upstream kernel \[2\] \[3\] \[4\] \[5\]

EoP

High

Kernel

CVE-2021-3655

A-197154735  
Upstream kernel \[2\] \[3\] \[4\]

ID

High

SCTP

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-20047

A-213120685  
M-ALPS05917489\*

High

video decoder

CVE-2022-20048  

A-213116796  
M-ALPS05917502\*

High

video decoder

CVE-2022-20053

A-213120689  
M-ALPS06219097\*

High

ims service

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-35088

A-204905738  
QC-CR#3007473

High

WLAN

CVE-2021-35103  

A-209481110  
QC-CR#3033509

High

WLAN

CVE-2021-35105  

A-209469958  
QC-CR#3034743 \[2\]

High

Display

CVE-2021-35106  

A-209481028  
QC-CR#3035196 \[2\]

High

WLAN

CVE-2021-35117  

A-209481202  
QC-CR#3028360

High

WLAN

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-1942  

A-199191104\*

Critical

Closed-source component

CVE-2021-35110

A-209469768\*

Critical

Closed-source component

CVE-2021-1950  

A-199191539\*

High

Closed-source component

CVE-2021-30328

A-199191341\*

High

Closed-source component

CVE-2021-30329  

A-199191831\*

High

Closed-source component

CVE-2021-30332  

A-199190643\*

High

Closed-source component

CVE-2021-30333

A-199191889\*

High

Closed-source component

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Permission Controller

CVE-2021-39694

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-03-01 or later address all issues associated with the 2022-03-01 security patch level.
*   Security patch levels of 2022-03-05 or later address all issues associated with the 2022-03-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-03-01\]
*   \[ro.build.version.security\_patch\]:\[2022-03-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-03-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-03-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-03-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

March 7, 2022

Bulletin Released

1.1

March 8, 2022

Bulletin revised to include AOSP links

1.2

April 5, 2022

Revised CVE table

CVE-2021-0957: Android Security Bulletin—March 2022

An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows attackers to obtain sensitive information from heap memory via crafted frame lengths from a device.

CVE-2022-26966

Improper access control vulnerability in BixbyTouch prior to version 2.2.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.

CVE-2022-25824: Samsung Mobile Security

Improper access control vulnerability in dynamic receiver in ApkInstaller prior to SMR MAR-2022 Release allows unauthorized attackers to execute arbitrary activity without a proper permission

CVE-2022-24931: Samsung Mobile Security

A use-after-free flaw was found in the Linux kernel’s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Tag

#samsung