A New Android Zero-Day Vulnerability Is Under Active Attack

pablozi

Level 27
Verified
Trusted
Jun 14, 2011
1,595
Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by attackers to launch targeted attacks.

Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an "improper input validation" issue in Qualcomm's Graphics component that could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device's memory.

"There are indications that CVE-2020-11261 may be under limited, targeted exploitation," the search giant said in an updated January security bulletin on March 18.
CVE-2020-11261 was discovered and reported to Qualcomm by Google's Android Security team on July 20, 2020, after which it was fixed in January 2021.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,442
So it's not a 0Day anymore ;)
It absolutely is and extra so if one do not actually got that specific update installed. It's sadly just how the Android echosystem is built ( big amount of vendors where some is fast and others not ) and how security updates are delivered. This is far from anything new, but I still won't go " crazy person " paranoid and throw out everything as it don't exist software that don't have flaws and errors.
 

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,069
Guaranteed most Android users with a Phone older than 18 months, will not be getting this update. Luckily this exploit requires physical access to the device.

Home users running an Android phone (not for business) without the latest patches is not dangerous, but does increase risk the longer you go without any updates.

Google Android / AOSP open-source nature means not every Android device gets the updates.
Apple iOS / iPadOS closed-source guarantees updates for every supported device.

These are the consequences of relying on a third-party ie. the manufacturer and mobile operator.
 
Top