Security News

Google patched more than 90 security vulnerabilities in its Android operating system impacting its Pixel devices and third-party Android handsets, including a critical remote code-execution bug that could allow an attacker to commandeer a targeted vulnerable mobile device. The Android System component of the OS also has a second critical vulnerability, an elevation-of-privilege issue tracked as CVE-2021-0516.

Google this week announced the availability of the latest monthly security patches for the Android operating system, which address more than 50 vulnerabilities, including several rated critical severity. The bug affects Android 8.1, 9, 10, and 11 iterations, the same as another critical flaw in the System component - CVE-2021-0516 - which could lead to elevation of privileges.

Google is tightening its privacy practices that could make it harder for apps on Android phones and tablets to track users who have opted out of receiving personalized interest-based ads. The Google Advertising ID, analogous to Apple's IDFA, is a unique device identifier that can be used by app developers to track users as they move between apps to target ads better and measure the effectiveness of marketing campaigns.

While enterprises stagger under sustained ransomware attacks, Android users are increasingly being targeted by banking malware, with Slovakian infosec firm ESET reckoning it had seen a 159 per cent increase in such malicious software over the last few months. Tongue in cheek, the firm added: "It is interesting to see a real-life example of what can cause Android users to suddenly become interested in cybersecurity protection!".

Researchers at cybersecurity firm Check Point discovered that many Android applications publicly expose sensitive user data through misconfigured third-party services. The exposed data, which pertains to more than 100 million Android users, includes chat messages, emails, passwords, location information, user identifiers, photos, and more.

Misconfigurations in multiple Android apps leaked sensitive data of more than 100 million users, potentially making them a lucrative target for malicious actors. "In some cases, this type of misuse only affects the users the developers were also left vulnerable. The misconfigurations put users' personal data and developer's internal resources, such as access to update mechanisms, storage, and more at risk."

More than 100 million Android users are at risk after 23 different mobile apps were found to leak personal data in the wake of rampant cloud misconfigurations. In the case of at least two of the apps, cloud keys were exposed with no safeguards, according to the researchers.

Google updated its May 3 Android security bulletin on Wednesday to say that there are "Indications" that four of the 50 vulnerabilities "May be under limited, targeted exploitation." That was mostly confirmed by Maddie Stone, a member of Google's Project Zero exploit research group, who clarified on Twitter that the "4 vulns were exploited in-the-wild" as zero-days. These four bugs make up a full two-thirds of the six total bugs to be exploited in the wild since 2014, according to Google's tracking spreadsheet.

Google has updated its May 2021 Android security bulletin to alert users that four vulnerabilities appear to have been exploited in attacks. Rolling out to users since early May, the latest Android security update patches over 40 flaws, including four with a severity rating of critical.

Security researchers discovered that personal data of more than 100 million Android users has been exposed due to various misconfigurations of cloud services. The data was found in unprotected real-time databases used by 23 apps with download counts ranging from 10,000 to 10 million and also includes internal developer resources.