Google closed 28 leaks during the April Android patch cycle, including one critical one. This leak makes phones with Qualcomm chipsets susceptible to remote attacks. Another high-priority vulnerability is in Android’s own code, which allows malicious apps to increase their permissions without user interaction.
The latter vulnerability could allow such apps to access data or perform actions beyond their normal privileges. Google classifies the impact of this leak as ‘high,’ security.nl reported. Both vulnerabilities are also listed in Google’s own April security bulletin.
Causing buffer overflow
The critical leak in Android devices with a Qualcomm chipset involves a security flaw in the data modem. This allows an attacker to cause a buffer overflow during verification of a DTLS protocol handshake, enabling code execution. The severity of this vulnerability, coded CVE-2023-28582, is rated 9.8 out of 10 on the CVSS vulnerability scale. This vulnerability is included in Quallcomm’s own security bulletin.
Google fixes flaws in the code of its Android operating system and components from chip manufacturers such as Qualcomm and MediaTek. Google-developed DRM system Widevine also receives the updates. The company uses specific dates to do so. Devices receiving the April updates have patch levels of “2024-04-01” or “2024-04-05.
Manufacturers must add all patches from the April Android bulletin to their updates and make them available to their users. These updates are available for Android 12, 12L, 13 and 14.
Similar to vulnerabilities fixed in January
In the January Android security update, Google patched a similar vulnerability in phones with the Qualcomm chip. This leak was also in the data modem and, like the most recent leak, involved the danger that phones could be remotely attacked via code insertion during a buffer overflow.
Google reports that manufacturers were notified of the vulnerabilities at least a month ago. Still, as always, it is not guaranteed that all Android devices will receive the updates promptly. This is due to discontinued support by manufacturers or a delayed rollout of the updates.
Also read: Second preview Android 15 offers features for satellite communications