Google's annual 0-day vulnerability report for 2022 paints an unsettling picture of the Android ecosystem's security landscape, spotlighting a persisting issue that amplifies the worth and utilization of publicly disclosed software flaws for elongated duration.
The report focuses on the problematic reality of n-day vulnerabilities acting as 0-days for cybercriminals in the Android ecosystem. A n-day vulnerability is a software flaw that is publicly known with or without a patch. It turns into a zero-day vulnerability when threat actors learn about it before the vendor, allowing it to be exploited before a patch becomes available.
The problem's roots lie in the complex nature of the Android ecosystem, encompassing various stages involving the upstream vendor (Google) and downstream manufacturer (phone manufacturers). Several hurdles, such as diverse security update intervals across device models, short support periods, tangled lines of responsibility, and delays in patch roll out, amplify the vulnerability.
An n-day vulnerability quickly escalates into a 0-day threat as attackers exploit unpatched devices for months, either employing known exploitation techniques or formulating their own, despite a patch being available from Google or other vendors. This lag occurs due to patch gaps, where a fix for a bug takes months to be implemented by device manufacturers in their Android versions.
"These gaps between upstream vendors and downstream manufacturers allow n-days - vulnerabilities that are publicly known - to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device," Google's report stated.
In 2022, a host of such issues plagued Android, including the striking instance of CVE-2022-38181, a flaw in the ARM Mali GPU. Despite being reported to the Android Security team in July 2022 and patched by ARM in October 2022, it was only incorporated into the Android security update in April 2023. This prolonged delay led to rampant exploitation of the flaw until the update finally arrived.
The Android platform was also affected by two other vulnerabilities, CVE-2022-3038 and CVE-2022-22706, which saw exploitation in December 2022, resulting in the infection of Samsung Android devices with spyware. Samsung and Android security updates for these vulnerabilities took five and 17 months, respectively, further exposing the devices to threats.
Post-release of the Android security update, it takes device vendors up to three months to make fixes available for supported models. This delay essentially enables n-days to operate as effectively as 0-days, providing threat actors a golden window of exploitation opportunity. In fact, some threat actors may find these n-days more advantageous than zero-days as technical details and possible proof-of-concept (PoC) exploits are already public, simplifying their malicious endeavour.
However, Google's 2022 activity summary indicates a decrease in zero-day flaws compared to 2021, with 41 discovered, and a notable dip in the browsers category, down to 15 from 26. Additionally, over 40% of the zero-day vulnerabilities found in 2022 were variants of previously reported flaws, suggesting that criminals find bypassing fixes for known vulnerabilities easier than discovering entirely new 0-days.