For an operating system as popular as Android, security is an area Google cannot afford to compromise on. For its July update, Google has released patches for 44 vulnerabilities in Android. Most of these bugs are highly severe or critical in nature.
These patches are available instantly for Google’s own Pixel and Nexus devices. Phones from other companies will have to wait till their manufacturers push updates with the patches. In order to facilitate that process, Google notified all Android partners of the security threats a month before the publication of the July update.
For the July update, Google identified and fixed bugs in the OS and Media framework, including system and kernel related issues.
According to the bulletin published by Google, “The most severe [Framework] vulnerability (CVE-2018-9433) in this section could enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process.”
Zcaler describes a PAC file as a text file that prompts the browser to forward traffic to a proxy server instead of directly to the destination server.
More than 20 bugs now identified and fixed were related to components by Qualcomm, the telecommunication equipment company that makes the processors of a huge chunk of Android devices. The most serious of Qualcomm related bugs was one that (again) allowed a remote attacker to execute arbitrary code within the context of a privileged process.
It is noteworthy that Google claims that none of these critical security issues had been exploited or abused yet, as there are no customer reports regarding such exploitation.
Google Pixel and Nexus users can check for updates on their smartphone to automatically download the security patches. Google has also uploaded the patch online, so users can manually download the update onto their phones.
As for other manufacturers, Samsung and LG have already started releasing security patches for their phones. Google will soon release the source code patches to the Android Open Source Repository (AOSP) soon. This will allow other manufacturers to more smoothly implement the critical security patches on their Android smartphones.
It is surely for the best that Google is staying ahead of hackers in fixing security issues that haven’t been exploited yet. Android as a platform certainly cannot afford to leave any avenues for abuse and exploitation to remain open.