Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that elevates the value and use of disclosed flaws for extended periods.
More specifically, Google's report highlights the problem of n-days in Android functioning as 0-days for threat actors.
The problem stems from the complexity of the Android ecosystem, involving several steps between the upstream vendor (Google) and the downstream manufacturer (phone manufacturers), significant discrepancies in security update intervals between different device models, short support periods, responsibility mixups, and others issues.
A zero-day vulnerability is a software flaw known before a vendor becomes aware or fixes it, allowing it to be exploited in attacks before a patch is available. However, an n-day vulnerability is one that is publicly known with or without a patch.
For example, if a bug is known in Android before Google, it is called a zero-day. However, once Google learns about it, it becomes an n-day, with the n reflecting the number of days since it became publicly known.
Google warns that attackers can use n-days to attack unpatched devices for months, using known exploitation methods or devising their own, despite a patch already being made available by Google or another vendor.
This is caused by patch gaps, where Google or another vendor fixes a bug, but it takes months for a device manufacturer to roll it out in their own versions of Android.
"These gaps between upstream vendors and downstream manufacturers allow n-days - vulnerabilities that are publicly known - to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device," explains Google's report.
"While these gaps exist in most upstream/downstream relationships, they are more prevalent and longer in Android."
N-days as effective as 0-days
In 2022, many issues of this kind impacted Android, most notably CVE-2022-38181, a vulnerability in the ARM Mali GPU. This flaw was reported to the Android Security team in July 2022, deemed as "won't fix," patched by ARM in October 2022, and finally incorporated in the Android April 2023 security update.
This flaw was found to be exploited in the wild in November 2022, a month after ARM released a fix.
Exploitation continued unabated until April 2023, when the Android security update pushed the fix, a whopping six months after ARM addressed the security problem.
- CVE-2022-3038: Sandbox escape flaw in Chrome 105, which was patched in June 2022, yet remained unaddressed on vendor browsers based on earlier Chrome versions, like Samsung’s ‘Internet Browser.’
- CVE-2022-22706: Flaw in the ARM Mali GPU kernel driver patched by the vendor in January 2022.
The two flaws were found to be exploited in December 2022 as part of an attack chain that infected Samsung Android devices with spyware.
Samsung released a security update for CVE-2022-22706 in May 2023, while the Android security update adopted ARM's fix on the June 2023 security update, recording a staggering 17-month delay.
Even after Google releases the Android security update, it takes device vendors up to three months to make the fixes available for supported models, giving attackers yet another window of exploitation opportunity for specific devices.
This patch gap effectively makes an n-day as valuable as a zero-day for threat actors who can exploit it on unpatched devices. Some may consider these n-days more useful than zero-days as the technical details have already been published, potentially with proof-of-concept (PoC) exploits, making it easier for threat actors to abuse them.
The good news is that Google's 2022 activity summary shows that zero-day flaws are down compared to 2021, at 41 found, while the most significant drop was recorded in the browsers category, which counted 15 flaws last year (was 26 in 2021).
Another notable finding is that more than 40% of the zero-day vulnerabilities discovered in 2022 were variants of previously reported flaws, as bypassing fixes for known flaws is usually easier than finding a novel 0-day that can serve on similar attack chains.
Comments
h_b_s - 8 months ago
"Even after Google releases the Android security update, it takes device vendors up to three months to make the fixes available for supported models, giving attackers yet another window of exploitation opportunity for specific devices."
Even longer. I had an Android phone that promised prompt updates on security patches for at least three years. In the third year that promise became unfulfilled in it went almost 6 months without a single Android patch. I dumped it in the third month and went to iOS out of complete disgust for the Android (lack of) security situation while I kept checking back to see if it ever updated. Like I said, it took another 3 months and even that update was out-of-date from 4 months back. iOS is obviously not perfect, but it's a damned sight better in pushing out security updates than anything in the Android ecosystem, even the much ballyhooed Pixels where even Google is not only dropping the ball, they're actively sabotaging any efforts to fix the known problems as it would harm their advertising revenue.
castlefox - 8 months ago
What android device did you have, that was was missing security patches for more than 4 months?
I have had various Pixel phones (Pixel 4a & Pixel 6a). The longest I have gone without a security update was a month, (but that seemed to more of an issue with the carrier, and the carrier was holding off on the monthly update). Then I received an update for next months security update.
I know Google has been moving more of components to the Google play store, so they can push out updates through the Google Play store (so that a user does not need to wait to OEM for an software update). Google has also been also been making changes on the back end so that OEMs have less work to do to make a software update happen on their device.
*Granted it will take some time to see the fruits of this labor*
Are the Android Patch gap for N' days getting worse in 2022 when compared to 2020 and 2021?? Not super clear to me if Google is improving their update situation or someone else is going on?