Google’s latest security bulletin (for December 2019) has ‘bad news’ for Android smartphone users. The advisory names three security flaws, one of which Google has termed as “most severe”. For, it can permanently brick your Android smartphones. Here’s all you need to know about this ‘dangerous threat’ and more …
The threat has been revealed in Google’s December 2019 Android Security Bulletin
In all three vulnerabilities, one is ‘most severe’
As per Google’s security bulletin, there are three vulnerabilities. Of these, two are rated as critical. The third one — CVE-2019-2232– has been highlighted as”most severe”.
According to official NIST National Vulnerability Database, the vulnerability in the “handleRun of TextLine.java” could create a “possible application crash.” This may lead to permanent denial of service as the attack can brick your smartphone
What causes the attack
A maliciously-crafted message can cause a denial of services to your Android device.
What is the solution: Installing Android’s December security update
Installing December security update as soon as it is available can help.
What is the problem: Not all Android devices receive timely security updates, and many old ones don’t
The biggest problem here is that not all Android smartphones receive timely security updates. Many do, but not as quickly as they should. Many old ones don’t even receive security patches. Smartphone users with older Android devices and many with not-so-known brands may not get the patch at all.
According to the description in Android Security Bulletin, “User interaction is not needed for exploitation.” The remote denial of service attack needs “no additional execution privileges,” adds the bulletin
Devices affected: The security flaw affects devices running on Android 8.0, Android 8.1, Android 9 and Android 10
The vulnerability affects devices running on Android 8.0, Android 8.1, Android 9 and Android 10 versions.
Good news: Patch is already out, but needs to be installed
The good news is that security patch for CVE-2019-2232 and the other security vulnerabilities has already been released to the Android Open Source Project (AOSP) repository.
Bad news: When and if you get the update depends on your smartphone manufacturer
Google devices are likely to be the first ones to get the update
Google released OTA updates on the same day as the monthly bulletin was released.
How to check if security patch is available
Most likely you will get a notification about the OTA update. In case, you feel you may have missed the update, just check your security patch level. To do this, check: Settings > About phone > Android security patch level.
On Android 9, this is: Settings —+ System —+ Advanced —+ System updates. Please note that most smartphone manufacturers add their own update, in addition to Google’s