The good news in this month’s Android patches is that while Google’s own updates fix many elevation of privilege (EoP) holes, there are no remote code execution bugs. on the list.
The bad news, of course, is that EoP bugs that lead straight to root access, without any telltale signs, allow unscrupulous apps to suck up more data and spy on more aspects of your online life. , which you could ever expect.
With the root climbing exploit code hidden inside, even an otherwise perfectly useful but seemingly basic app – offering features like a flashlight or a simple compass, for example, or the one of thousands of other seemingly innocent “cover stories” – could end up being a front for spyware or a data logging tool.
Unfortunately, even Google’s vaunted Play Store can’t always protect you from malware on its own, with rogue apps regularly sneaking their way through automated verification processes that are supposed to catch software that blatantly oversteps the mark in privacy, security or both.
However, if you go out of the market, things can get much more dangerous, especially because there are many unofficial Android app stores where just about anything happens, including some repositories of apps that show up deliberately. as a convenient place to access software. that Google “doesn’t want you to have”.
Who would do that?
By the way, you might think that no one would deliberately search for apps that are clearly not allowed on Google Play, or have already been rejected by Google.
But cybercriminals can even turn “this app is not in the Play Store” to their advantage, as SophosLabs reported in the case of CryptoRom scammers.
These criminals get to know their victims online, often starting with dating sites.
The scammers do not intend to start fake romances, but simply to make “friends” with whom they will soon start talking about cryptocoin investments…
…preparing to persuade their victims to install an entirely fraudulent cryptocurrency investing app.
These apps are almost always off-market, but scammers describe this as a strength, not a weakness, with apps being touted as “exclusive” precisely because they’re not available for anyone to download.
(There’s a parallel scam for iPhone users to trick them into installing fake “business apps” or “beta test” apps, which aren’t strictly Apple-approved.)
The risks of root
Usually Android apps are locked down so that each app runs as if it were an entirely separate user on the device, similar to how you might have multiple logins on your laptop to share it with your family.
This explicitly limits the files and services each app can access, so a buggy or misbehaving app can’t easily access data belonging to other apps, the same way you can’t read home directories. other users on a shared laptop, and so that applications do not have access to any operating system files and data.
With each app running in its own sandbox of access permissions, a compromised app can’t just wander through all your files at will, spying on whatever it wants, limiting your risk.
Additionally, and unlike your Windows, Mac, or Linux laptop, Google Android reserves access to the root, or administrator, account for itself.
On your laptop you can browse other user’s files if you have admin privileges but on Android you can’t because by default you just can’t get those privileges even though you want.
Some Android devices, notably Google’s own Pixel phones, allow you to unlock your device to install any operating system or software you like, such as a non-Google Android version where users are allowed to request and receive root access, just like they can on a regular laptop. But you need physical access to the device to put it in “rootable” mode, and every time you enable or disable this setting, the data already on the device is erased. This prevents you from “rooting” an existing Google Android phone and recovering protected data that was previously on it, and it prevents you from preparing a pre-rooted substrate on which to later overlay a seemingly locked version of Androind.
What has been fixed?
Google’s updates are listed in its April 2022 security bulletin, which lists numerous EoP flaws in the Android App Framework (the underlying system programming libraries that other apps rely on) , and some in the system itself.
This month, Google is offering phone vendors two different update levels, called 2022-04-01which apparently fixes the most pressing bugs, and 2022-04-05which includes fixes for additional security vulnerabilities.
As the company notes, “[this month’s] bulletin has two levels of security fixes so that Android partners have the ability to patch a subset of similar vulnerabilities on all Android devices more quickly,” which seems to suggest that Google would rather have many, if not most, vendors fixing at least some bugs than having just a few vendors fixing all the bugs.
Nevertheless, Google makes it clear that a full patch is widely preferred: “Android partners are encouraged to resolve all issues in this bulletin and use the latest level of security patch.”
the 2022-04-01 The patch level fixes eight EoP bugs in total, seven in the Android programming libraries and one in the system itself.
The company notes that these bugs “could lead to local elevation of privilege without requiring additional execution privileges. User interaction is not required for exploitation.
The most rigorous 2022-04-05 patch level adds protection against four more EoP bugs, including a system-level vulnerability with a warning that if not patched, the hole “could lead to local privilege escalation of the Guest account without requiring additional execution privileges. User interaction is not required for exploitation.
What to do?
Users of Google’s own Pixel phones can update now, without waiting their turn in the automated update delivery queue, by accessing now Settings > Security > Security Update.
(We just updated our Pixel 4a; the update itself was listed as a miserly 11.4MB download, but the installation process took nearly an hour once the almost instant download was complete , so don’t lose faith if you update and it takes worryingly longer than expected!)
Owners of other phones may not receive the update immediately; when you do, your security update level after the update (and its mandatory restart) should appear as April 1, 2022 or like April 5, 2022depending on the patch level selected by your vendor.
You can check your Android version by going to the Settings > Android version page.
While you’re at it, check that your apps are up to date by opening the play store app, by tapping on your account icon (the small circle) in the upper right corner of the screen, and access the Manage apps and device screen.
By the way, despite Google Play’s imperfections, we highly recommend sticking with it if you can.
Even though Google doesn’t always keep malware at bay, the Play Store has a verification process that all apps must go through, as well as a mechanism to keep installed apps reliably up to date…
…which is far better than an unknown “alternative” app store open to anyone to submit any app they like, including apps that have already been rejected by Google itself.