Update Now, If You Can
The March 2020
Android security update bulletin has arrived, and it contains confirmation from Google of an elevation-of-privilege vulnerability (
CVE-2020-0069) that not only affects millions of Android devices but which is also being actively exploited by cybercriminals.
What is this critical ‘rooting’ vulnerability?The vulnerability, which has yet to be properly described in the National Vulnerabilities Database, is known to be within the command queue driver of several 64-bit chips produced by the Taiwanese manufacturer, MediaTek.
Details first began to emerge online early in 2019, and an exploit script was published in April 2019 that could enable an attacker to "get root" of a vulnerable device. Unsurprisingly then, the vulnerability has been deemed critical with a CVSS v3.0 score of 9.3.
While the March 2020 Android security bulletin confirms that Google has patched the vulnerability in this update, and that may well be the first you've heard of it, others have known for the best part of a year already. And that includes the cybercriminal fraternity. Indeed, according to the XDA-Developers forum where details of the vulnerability first surfaced, MediaTek made a patch available in all affected chipsets way back in May 2019. "Details of the exploit have actually been sitting openly on the Internet," an
XDA-Developers posting stated, "since April of 2019." That same posting mentions how malicious apps using the vulnerability have already been found in, and removed from, the Google Play store. Those apps were found to be exfiltrating data from target devices.
Real-world risk as the exploit is in the wildSo, this isn't some highly convoluted, easy in the labs but the real-world is different, type exploits as seen in the recent $5 smartphone hack story. This is the real deal; a vulnerability that potentially affects millions of devices and being actively exploited by cybercriminals as you are reading this and, for some devices at least, a patch may be a long time coming. If one comes at all. Not just because Android security updates themselves are something of a lottery when it comes to which devices get them and how quickly, but rather because many of the affected devices are at the budget end of the market and manufacturers have been slow to respond to patching the vulnerability so far. Hopefully, thanks to the very act of Google pushing the update out to a much wider market via the March Android security update, a large swathe of vulnerable devices will be protected. Eventually.
Android 10 users can relaxIt should be noted that devices running Android 10 would not appear to be vulnerable to this exploit, only Android 7, 8 and 9. Further mitigation is that the root access granted by this exploit is of a temporary nature, according to the XDA-Developers posting, and does not survive a device reboot. However, that posting also said that "to overcome the limitation of a temporary root, a malicious app can simply re-run the MediaTek-su script on every boot." That an attacker could exfiltrate data and install other malicious apps during this root access is enough, especially as the device user would be none the wiser.
The more technically-minded can test if their device with a 64-bit MediaTek CPU is vulnerable, entirely at their own risk, by using the script in the XDA-Developers forum. For everyone else, applying the March 2020 Android security update as soon as possible, and any firmware patch from your device manufacturer is recommended. As is taking note of all the usual advice about being careful as to the apps you install, the permissions you grant to them, and where you install them from. A malicious app would be able if the device were vulnerable and the relevant permissions granted, to copy the exploit script and "get root."
source
