July 2016 Android Security Bulletin

The frail world of the Android ecosystem has taken some hits in the past week with the disclosure of a full disk encryption bypass vulnerability and the arrival of the HummingBad malware.

The FDE bypass highlighted the need to keep Android patch levels current, but as Duo Labs statistics point out, that remains a struggle for Android users who must rely on carriers and handset makers to integrate and distribute Google updates.

The latest Android Security Bulletin, released today, provides little relief. It’s a sizable update—late by nearly a week because of the July 4 U.S. holiday—but contains fixes for problems in a host of familiar areas including Mediaserver and a number of Qualcomm, MediaTek and NVIDIA components that have been featured in almost every bulletin since the monthly releases started last August.

Patches were released to carrier and handset manufacturer partners on June 6, and Google expects source code patches to be available on the Android Open Source Project within 48 hours.

Google points out that there are two security patch level strings in today’s bulletin: July 1 and July 5.

“This bulletin has two security patch level strings in order to provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices,” Google said. “Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level string.”

The July 1 patch level may include a subset of patches that are available in the July 5 patch level, which is complete.

The most serious vulnerabilities are seven remote code execution flaws in Mediaserver, which are included in the July 1 patch level; July 1 also patches a critical remote code execution vulnerability in OpenSSL and Boring SSL (CVE-2016-2108).

The July 5 patch level, meanwhile, patches a dozen critical elevation of privilege flaws, including a six in MediaTek drivers including the Wi-Fi driver on specific devices, as well as two in the Qualcomm GPU driver, another in the Qualcomm performance component, and one in the NVIDIA video driver. The July 5 patch level also addresses a flaw in the kernel file system (CVE-2016-3775) and in the USB driver (CVE-2015-8816).

The issue of prompt Android patching has caught the attention of the U.S. government, which in May through the Federal Trade Commission and Federal Communications Commission sent letters to leading device makers and carriers seeking details on their respective security update practices.

“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise,” said Jon Wilkins, chief of the Wireless Telecommunications Bureau at the FCC in one of the letters. “We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched.”

Successful exploits against the full disk encryption bypass vulnerability disclosed last week require chaining together of an older, patched Mediaserver vulnerability.

Duo Labs said last week that it estimates 57 percent of Android phones are still vulnerable to related Mediaserver attacks.

“Compared to 60 percent of Android phones that were vulnerable to the Android attack in January, the security posture of our dataset has improved slightly, with 57 percent of Android phones vulnerable to the latest attack,” according to a Duo Labs blog post.

Today’s Android Security Bulletin also patched dozens of vulnerabilities rated High severity, including a remote code execution flaw in Bluetooth in the July 1 patch level and many elevation of privilege and information disclosure flaws in Mediaserver, OpenSSL, libpng, LockSettings Service, ChooserTarget service. The July 5 patch level includes patches for high-severity elevation of privilege vulnerabilities in Qualcomm USB, Wi-Fi and camera drivers, NVIDIA camera drivers, MediaTech power, display, Wi-Fi-hardware sensor, video and GPS drivers, as well as in the kernel file system, serial peripheral interface driver and networking components.