Google has released the details surrounding the April 2 security patch for Android, completely mitigating issues described in a bulletin several weeks ago as well as a slew or other critical and moderate issues. This one is a bit different from previous bulletins, with special attention paid to a privilege escalation vulnerability in versions 3.4, 3.10 and 3.14 of the Linux kernel used in Android. We'll discuss that further down the page. In the meantime, here's the breakdown of what you need to know about this month's patch.
Updated firmware images are now available for currently supported Nexus devices on the Google Developer site. The Android Open Source Project has these changes rolling out to the relevant branches now, and everything will be complete and synchronized within 48 hours. Over the air updates are in progress for currently supported Nexus phones and tablets, and will follow the standard Google rollout procedure — it may take a week or two to get to your Nexus. All partners — that means the people who built your phone, regardless of brand — have had access to these fixes as of March 16 2016, and they will announce and patch devices on their own individual schedules.
The most severe issue addressed is a vulnerability that could allow remote code execution when processing media files. These files can be sent to your phone by any means — email, web browsing MMS or instant messaging. Other critical issues patched are specific to the DHCP client, Qualcomm's Performance Module and RF driver. These exploits could allow code to run that permanently compromises the device firmware, forcing the end user to need to re-flash the full operating system — if "platform and service mitigations are disabled for development proposes." That's security-nerd speak for allowing apps from unknown sources to be installed and/or allowing OEM unlocking.
Other vulnerabilities patched also include methods to bypass Factory Reset Protection, issues that could be exploited to allow denial of service attacks, and issues that allow code execution on devices with root. IT professionals will be happy to also see mail and ActiveSync issues that could allow access to "sensitive" information patched in this update.
As always, Google also reminds us that there have been no reports of users being affected by these issues, and they have a recommended procedure to help prevent devices from falling victim to these and future issues:
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet, which will warn the user about detected potentially harmful applications about to be installed. Device rooting tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known rooting applications. Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove any such applications.
- As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.
Regarding issues mentioned in the previous bulletin
On March 18, 2016 Google issued a separate supplemental security bulletin about issues in the Linux kernel used on many Android phones and tablets. It was demonstrated that an exploit in versions 3.4, 3.10 and 3.14 of the Linux kernel used in Android allowed devices to be permanently compromised — rooted, in other words — and affected phones and other devices would require a re-flash of the operating system to recover. Because an application was able to demonstrate this exploit, a mid-month bulletin was released. Google also mentioned that Nexus devices would receive a patch "within a few days." That patch never materialized, and Google makes no mention of why in the latest security bulletin.
The issue — CVE-2015-1805 — has been patched completely in the April 2, 2016 security update. AOSP branches for Android versions 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 have received this patch, and the rollout to the source is in progress.
Google also mentions that devices that may have received a patch dated April 1, 2016 have not been patched against this particular exploit, and only Android devices with a patch level dated April 2, 2016 or later are current.
The update sent to the Verizon Galaxy S6 and Galaxy S6 edge is dated April 2, 2016 and does contain these fixes.
The update sent to the T-Mobile Galaxy S7 and Galaxy S7 edge is dated April 2, 2016 and does contain these fixes.
Build AAE298 for unlocked BlackBerry Priv phones is dated April 2, 2016 and does contain these fixes. It was released in late March, 2016.
Phones running a 3.18 kernel version are unaffected by this particular issue, but still require the patches for other issues addressed in the April 2, 2016 patch.
