Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that elevates the value and use of disclosed flaws for extended periods.
More specifically, Google's report highlights the problem of n-days in Android functioning as 0-days for threat actors.
The problem stems from the complexity of the Android ecosystem, involving several steps between the upstream vendor (Google) and the downstream manufacturer (phone manufacturers), significant discrepancies in security update intervals between different device models, short support periods, responsibility mixups, and others issues.
A
zero-day vulnerability is a software flaw known before a vendor becomes aware or fixes it, allowing it to be exploited in attacks before a patch is available. However, an
n-day vulnerability is one that is publicly known with or without a patch.
For example, if a bug is known in Android before Google, it is called a zero-day. However, once Google learns about it, it becomes an n-day, with the
n reflecting the number of days since it became publicly known.
Google warns that attackers can use n-days to attack unpatched devices for months, using known exploitation methods or devising their own, despite a patch already being made available by Google or another vendor.
This is caused by patch gaps, where Google or another vendor fixes a bug, but it takes months for a device manufacturer to roll it out in their own versions of Android.
"These gaps between upstream vendors and downstream manufacturers allow n-days - vulnerabilities that are publicly known - to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device," explains
Google's report.
"While these gaps exist in most upstream/downstream relationships, they are more prevalent and longer in Android."
