Google is typically closemouthed about known vulnerabilities, patches, and what kinds of malware they are countering at any given time. Some of that is to protect android users, by avoiding letting hackers and other bad actors know about critical vulnerabilities they might not have already found, but it can also mean that android users may not always pay attention to the security updates they need to keep their devices safe.
If you are an android user running android versions 11, 12, 12L, or 13 and haven’t already updated your device after the most recent patch, you should do so immediately.
You can check to see if your device has updated recently, and see what android version your device is using, by checking the About Phone, About Device, or About Software tab in your device settings.
Here’s what you need to know about the latest android security bulletin, the most recent security patch, and what we know about the vulnerabilities being patched.
Android Patch Fixes 2 Critical Security Vulnerabilities and Many High Severity Vulnerabilities
It’s very rare for patches to come out that address only a couple of security vulnerabilities. Almost every security patch is going to have a wide range of mitigation tasks included, which patch low-risk vulnerabilities along with critical vulnerabilities.
Most users should be concerned about critical vulnerabilities, while other security issues are less important but still included in information disclosure messages and the android security log just in case they are relevant or more important for some users.
The most recent round of security patches, which came out on March 5th, 2023, patched two critical vulnerabilities: CVE-2023-20951 and CVE-2023-20954, which are both RCE, or remote code execution vulnerabilities.
Remote code execution vulnerabilities are especially important because, as in this case, they can sometimes be allow for remote code execution without needing any additional execution privileges.
Basically, that means that the vulnerability would allow a hacker to execute, or use, inserted code without requiring the user to approve that execution, often without any direct interaction at all.
That means that these kinds of cybersecurity threats may exist on your mobile device without you doing anything – which can also make them difficult to trace. Often, these remote code execution vulnerabilities can allow malware to be installed without the knowledge of the user.
Fortunately, these two critical vulnerabilities have been closed assuming you’ve downloaded the most recent patch.
In addition, this security update also patched CVE-2022-33213 and CVE-2022-33256, which are both memory corruption vulnerabilities. These kinds of vulnerabilities crop up when the memory is altered without an explicit assignment, and how and where that happens can open up a variety of vulnerabilities that hackers can exploit to do a range of things.
There were quite a few other vulnerabilities patched in this most recent update. For a more detailed changelog, or to learn more about the specific vulnerabilities that have been patched, you can look at the March Android Security Bulletin.
Just remember that Google tends to keep vulnerability information relatively limited to help avoid giving away information that could help hackers exploit the vulnerabilities before everyone’s devices are updated.
What Is Considered A Critical Vulnerability On Android Devices?
Critical vulnerabilities are vulnerabilities that can potentially give hackers a high level of access or control over the affected devices. Sometimes these can allow the installation of ransomware, which give hackers the option of making a device unusable or wiping data unless the user agrees to certain terms.
Serious ransomware attacks on large systems have made this kind of attack particularly threatening, but they aren’t the only options.
Critical vulnerabilities may also allow denial of service attacks, or DoS attacks, which allow hackers to deny access to your device. However, these don’t always give away any data or information stored on the device – they’re more of an inconvenience unless there is other malware also mining for data or otherwise exploiting the device.
Generally, a critical vulnerability means that the device can be entirely controlled in some way by the hacker. They can involve elevation of privilege once the malware is installed, and often work without needing the user do to anything to trigger the attack.
The most threatening of these are so-called zero-day vulnerabilities. That just means that the security team or security researchers that have identified a vulnerability have had 0 days to work on the problem. A zero-day vulnerability may also mean that hackers have identified and used the vulnerability before the security researchers involved in protecting a system have a chance to fix it.
Some vulnerabilities may come through the Google Play store on Android, but other system connections, including Bluetooth, may also be vulnerable if you have an out-of-date Android system.
Are Android Phones More Vulnerable Than Competitors?
Generally, yes, Android phones and other devices are more vulnerable than Apple, Microsoft Windows, or Linux devices. Apple’s IOS is widely considered the least vulnerable, but there are a range of reasons for the different vulnerabilities.
One of the key problems that Android faces are coding problems and vulnerabilities that came along with 3rd party programs.
There are a large number of known system components that are potentially vulnerable, and while a patch-level security update can help, it won’t necessarily address the underlying problem that caused the vulnerability in the first place.
Which Mobile OS Is Considered The Most Vulnerable
There are two different ways to think about phone cybersecurity when you’re trying to figure out which systems are the most vulnerable.
- The number of vulnerabilities that have been identified/exploited/fixed in the OS
- The severity of the specific known vulnerabilities in each OS.
Both of these measures are important, but they can lead to very different results depending on what you’re looking for and trying to protect against.
For instance, some people might be willing to buy a phone with more known security concerns if those vulnerabilities are generally low-risk. I.E. someone using that particular vulnerability is unlikely to come away with personal information about the person using the phone, or be able to access more protected information stored in the phone, like payment information or bank account access.
Both Android and Apple mobile OS are being hit with an increasing number of hacking attempts, with more and more people seeking out vulnerabilities. That means that there are going to be more vulnerabilities found, more critical security patches released, and an increased rate of high-severity vulnerabilities found.
Ultimately, there is no such thing as a perfectly secure operating system, and new security issues may be introduced with every patch, including patches meant to keep your mobile devices safer.
That said, Android operating systems are generally considered more vulnerable than Apple operating systems. There are generally more security threats to android smartphones, especially devices running the older Android 10 OS.
Unfortunately, Android also tends to experience more severe vulnerabilities, according to top security researchers. That means that Android users, including Samsung, Pixel devices, and other mobile devices running Android OS need to be especially careful about keeping their devices up to date and monitoring for security patches that help protect their devices.
Can You Skip Android Security Updates?
We don’t recommend it, and, past a certain point, you may not be allowed to skip critical updates.
There are a few reasons for this. For one thing, if you skip an update that contains a critical security patch, like the most recent security update did, your phone or device is significantly more likely to end up infected with malware. Depending on the program, you may not even notice a change in your device’s function, meanwhile malicious code is mining your data, gathering personal information about you and your accounts, or opening up new vulnerabilities in your device’s operating system.
Even if you aren’t concerned with malware, at a certain point your device will be forced to update. This happens in part because of new regulations after several companies and the NHS had critical systems attacked with ransomware that used a known vulnerability that had been patched months before the attack took place. Because those companies opted out of updates that might have caused problems in their internal systems, they were left vulnerable in a way they shouldn’t have.
So now, software companies are required to force updates when there are critical fixes, they can no longer allow consumers to opt-out in order to prevent the kinds of massive disruption that happens when malware makes it into a large company’s systems.
Not every update is considered critical this way, but your Android device will likely need to install all the skipped updates every time a critical security update is required. So rather than skipping small updates and leaving your phone vulnerable, and then having to wait for them all to be installed when a critical update is released, it’s better to accept updates as they are released.
Better yet, you should be installing security updates on your Android device as soon as they are made available.