Security researchers have uncovered and disclosed seven significant vulnerabilities affecting Android and Google Pixel devices, highlighting ongoing challenges in mobile security.
The vulnerabilities discovered and reported by the Oversecured Mobile Application Vulnerability Scanner team range from geolocation access exploitation to VPN bypass capabilities.
Two of the disclosed vulnerabilities specifically impact Google Pixel devices, while the remaining five affect the broader Android ecosystem.
Among the Pixel-specific issues, researchers identified ways that unprivileged applications could access user geolocation data and gain VPN bypass privileges, potentially compromising user privacy and security.
Of particular concern is CVE-2023-20963, a high-severity vulnerability that was actively exploited in the wild by the Pinduoduo app between March 2022 and February 2023. This vulnerability allowed attackers to launch arbitrary components with system privileges, effectively bypassing crucial security checks. The app was subsequently removed from Google Play, though it remains available in other app stores.
The disclosure also revealed a critical Bluetooth vulnerability (CVE-2024-34719) that allowed unauthorized access to Bluetooth functionality due to incorrect permission checks. Another significant finding includes a WebView vulnerability that could lead to arbitrary file theft through default settings.
The researchers also identified an HTML injection vulnerability (CVE-2021-0600) affecting the Device Admin request screen, which could potentially be exploited to manipulate system interfaces. Additionally, a security flaw was found in ContentProvider.openFile() implementation, which initially wasn't considered a vulnerability but was later acknowledged and patched by Google.
Google's response time to these vulnerabilities has varied significantly. While some issues were addressed within months of reporting, others took considerably longer to patch.
For instance, the parcel/unparcel mismatch vulnerability, reported in February 2022, wasn't patched until March 2023, after it had already been exploited in the wild.
The research team noted that all reported vulnerabilities have now been patched through various security updates. However, they emphasized the need for faster response times to critical security issues, particularly those actively exploited in the wild.
These findings underscore the importance of regular system updates for Android users, especially those using Pixel devices. Users are strongly encouraged to:
- Keep their devices updated with the latest security patches
- Be cautious when granting permissions to applications
- Only install apps from trusted sources like the Google Play Store
- Regularly review app permissions, particularly for location and system settings access
The disclosure highlights the ongoing cat-and-mouse game between security researchers and potential attackers, as well as the critical role of vulnerability disclosure programs in maintaining mobile device security.
While Google's Android security team has made significant progress in addressing these issues, the researchers emphasize the need for more rapid response times to protect users effectively.
All vulnerabilities mentioned in this report have been fixed in recent security updates, demonstrating Google's commitment to addressing security concerns, albeit with varying response times.