Google finds critical Android security flaw, and you might be waiting for a fix

Android 14 review
(Image credit: Apoorva Bhardwaj / Android Central)

What you need to know

  • Google found a security flaw in Android that allowed for remote code execution, which it described as a "critical security vulnerability." 
  • The vulnerability is what is known as a "zero-click" flaw, meaning it requires no interaction to be exploited.
  • Google is providing OEMs with a fix through the Android Open Source Project, but it'll be up to each phone maker to ship updates to their smartphones.

Google discovered a "critical security vulnerability" in Android that makes it possible for a remote hacker to execute code on your phone, it said in December's Android Security Bulletin. The company has already provided Android phone manufacturers with a fix, but each OEM will have to send out its own update to patch the security flaw.

The bug has been assigned CVE-2023-40088 in the National Vulnerability Database, which provides more information. According to the NVD report, the issue surfaces when the Android phone tries to run a callback_thread_event of com_android_bluetooth_btservice_AdapterService.cpp. During this action, it's possible for memory to be corrupted with a use-after-free vulnerability. 

Essentially, this problem causes Android phones to access com_android_bluetooth_btservice_AdapterService.cpp without authorization after the system's memory has already been deallocated. This could allow a remote hacker to access an Android phone, executing code without any user action needed. 

While this flaw can be executed remotely, it is worth noting that a would-be attacker has to be relatively near you for it to work. It can be exploited via Wi-Fi, Bluetooth, or NFC wireless connection. 

Google has sent a fix for Android versions 11, 12, 12L, 13, and the latest Android 14 through the Android Open Source Project. Presumably, this means Android phones on those versions are affected by the bug. Since this issue allows for remote code execution with no user interaction needed, it's one of the most severe types of security vulnerabilities. 

Neither Google nor the NVD specifies whether the bug has been actively exploited in the wild. Usually, this would be stated in the event a security flaw has been exploited, but we don't know for sure. Google didn't add any more context for the vulnerability, which is to be expected. The company will likely not provide more information until the issue has been patched and the majority of active devices have been updated. 

However, since the patch will be released through the AOSP, you won't see an update immediately. The update will be sent out over the next couple of days, but each Android OEM needs to send out the fix after that. Pixel phones could be the first to receive the patch, but timelines can vary for other brands. 

Considering the severity of this issue, keep an eye out for a security update this month if you use an Android smartphone. 

Brady Snyder

Brady is a tech journalist covering news at Android Central. He has spent the last two years reporting and commenting on all things related to consumer technology for various publications. Brady graduated from St. John's University in 2023 with a bachelor's degree in journalism. When he isn't experimenting with the latest tech, you can find Brady running or watching sports.