Google Publishes Monthly Android Security Bulletin, Patches Critical Vulnerabilities

  • Google Published its Android Security Bulletin for June on Monday, which contains details of over 40 security vulnerabilities affecting Android devices and related patches.

    In the advisory, the technology giant explains that the most severe of these issues was a critical security vulnerability in the system component that could lead to remote code execution [RCE] with no additional execution privileges needed.

    “The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” reads the advisory.

    Tracked as CVE-2022-20127, the vulnerability could affect unpatched systems running Android versions 10, 11, 12, and 12L.

    However, there are other RCE vulnerabilities mentioned in the bulletin, which could affect respectively the Framework, Media Framework and Kernel of certain Android devices.

    In the document, Google also addressed vulnerabilities deriving from the hardware of certain manufacturers, including MediaTek and Qualcomm components as well as Motorola’s Unisoc chips.

    The 2022-06-01 security patch reportedly fixed the four, critical vulnerabilities mentioned above, alongside five security bugs in Framework, 13 in the System component, and 18 others across Kernel, MediaTek, Unisoc, and Qualcomm closed-source components.

    The Security patch levels of 2022-06-05 (or later), on the other hand, address all issues associated with the 2022-06-05 security patch level and all previous patch levels.

    Google added that for some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-06-01 security patch level.

    Despite these flaws being patched, security on Android is a broader issue. Recent data from Check Point showed how thousands of mobile apps exposed user data due to the misconfiguration of back-end cloud databases back in March.

    More recently, the Cybersecurity and Infrastructure Security Agency (CISA) added 41 vulnerabilities to its catalog of known exploited flaws, including two concerning Android systems.