band aid on a computer chip

Update now! Google patches Android vulnerability that allows remote code execution over Bluetooth

In the Android security bulletin of December 5, 2022 you can find an overview of the security vulnerabilities affecting Android devices that are fixed in patch level 2022-12-05 or later.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed.

Mitigation

If your Android phone is at patch level 2022-12-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Vulnerabilities

The total number of patched issues is 81, and four of them are security issues labelled as critical.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below are details for the four critical ones.

CVE-2022-20472: a critical remote code execution (RCE) vulnerability in the Framework component.

CVE-2022-20473: another critical RCE vulnerability in the Framework component.

The Android framework consists of a group of Java classes, interfaces, and other precompiled code upon which apps are built.

CVE-2022-20498: a critical information disclosure (ID) vulnerability in the System component.

CVE-2022-20411: a critical RCE vulnerability in the System component. Exploiting this vulnerability could allow an attacker to perform remote code execution over Bluetooth with no additional execution privileges needed.

Google didn’t provide any details about the vulnerabilities in order to protect the Android users that haven’t been able to patch yet.

Patch gap

Depending on the manufacturer of your Android device, the patch may not available to you yet.

There is a patch gap that exists when software patches have to wait for a second vendor to incorporate them into their software before they reach an end user.

This has always been a particularly acute problem on Android phones. If there is an update for the Android operating system—software that sits at the core of about 70% of all mobile devices—it can take a very long time to reach end users. This is because many mobile phone vendors sell their devices with their own tweaked versions of Android and any fix has to be tested in that slightly different environment.

We know that Samsung has issued the patch including a fix for CVE-2022-20411 and the other critical vulnerabilities.

Stay safe, everyone!


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.