Seven critical vulnerabilities affecting Android and Google Pixel devices were recently uncovered during a recent analysis of mobile applications.
These security flaws, discovered through the Oversecured Mobile Application Vulnerability Scanner, pose significant risks to user privacy and device security.
The vulnerabilities that are affecting Android and Google Pixel devices are tracked as:-
- CVE-2024-0017
- CVE-2023-21383
- CVE-2024-34719
- CVE-2023-20963
- CVE-2021-0600
- CVE-2023-21292
Security analysts at OverSecured observed that all these vulnerabilities were marked with the “High” severity tag, and among all the 7 flaws, the “Default WebChromeClient Configuration Flaw” didn’t received the CVE ID yet.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Vulnerabilities Overview
Access to User Geolocation Through Camera
- CVE: CVE-2024-0017
- Severity: High
- Allows unprivileged applications to access user geolocation data through the Camera app.
Default WebChromeClient Configuration Flaw
- Severity: Initially High, later downgraded to Low
- Enables theft of arbitrary files due to insecure implementation of file picker functionality in WebView.
VPN Bypass List Manipulation
- CVE: CVE-2023-21383
- Severity: High
- Permits attackers to modify VPN bypass app lists, potentially including system apps like Google Chrome.
Incorrect Bluetooth Permission Check
- CVE: CVE-2024-34719
- Severity: High
- Allows interaction with Bluetooth using system privileges, bypassing security checks.
WorkSource Parcel/Unparcel Logic Mismatch
- CVE: CVE-2023-20963
- Severity: High
- Enables launching arbitrary components with system privileges, exploited in the wild by the Pinduoduo app.
HTML Injection in Device Admin Request Screen
- CVE: CVE-2021-0600
- Severity: High
- Allows injection of HTML elements in the Device Admin request screen.
ContentProvider.openFile() Security Check Bypass
- CVE: CVE-2023-21292
- Severity: High
- Enables bypassing internal security checks in ContentProvider.openFile() method.
These vulnerabilities affect a wide range of Android devices, with some specifically impacting Google Pixel devices.
The flaws could allow malicious actors to elevate privileges, access sensitive data, and manipulate system settings. Google has addressed most of these issues through security updates.
However, the time taken to patch some vulnerabilities, such as the WorkSource logic mismatch, highlights the need for faster response times in addressing critical security flaws.
The discovery of these vulnerabilities underscores the importance of regular security audits and prompt patching in the mobile ecosystem. Users are advised to keep their devices updated with the latest security patches to mitigate potential risks.
For developers and companies, integrating vulnerability scanners into the development process can significantly enhance application security and protect users from potential exploits.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.