Google has patched some serious bugs in Android, including a couple of critical flaws that could let hackers run their own code on the mobile operating system (OS).
As with many new patch releases, the details about one of the most critical vulnerabilities, CVE-2020-0022, are not yet public. However, what Google does tell us in its February 2020 advisory is that it lies in the system component of Android, which contains the system apps that ship with the OS.
It’s a remote code execution bug in the context of a privileged process, giving the attacker a high level of access to the operating system, and it applies to versions 8.0, 8.1, and 9 of the Android Open-Source Project (AOSP), on which the various phone implementations of Android are based. It also looks like there’s another, less dangerous, vulnerability associated with this bug, which renders a phone subject to a denial of service (DoS) attack.
The other critical-ranked bug is CVE-2020-0023, this is an information disclosure vulnerability and applies to version 10 of the AOSP.
Overall, there are 25 bugs. Aside from six in Android’s system component, there are seven in the Android Framework, which contains the Java APIs for the OS. All the Framework bugs are ranked high, with some extending back to version 8.0 of the AOSP. The worst one could enable a malicious application to gain extra privileges by bypassing use interaction requirements, the developers said.