Android's December security update fixes over 80 security vulnerabilities affecting smartphones -including four flaws classed as critical.
According to Google's Android security bulletin for December 2022, the most severe vulnerability is one in Android's System component, which could allow attackers to remotely execute code over Bluetooth without the need for device permissions.
The four critical vulnerabilities affect Android versions 10 to 13. Two of them -CVE-2022-20411 and CVE-2022-20498 -are in the System component of the Android operating system, while the other two -CVE-2022-20472 and CVE-2022-20473 -are in Android's Application Framework and could allow attackers to remotely execute code, with no additional execution privileges needed.
Google hasn't yet provided full details about how exactly the vulnerabilities work. That approach follows the company's usual procedure of not disclosing information on how attacks take place in order to avoid providing attackers clear instructions on how to exploit the vulnerabilities before users are protected by the latest update, which users are urged to apply as soon as possible.
Also: Cybersecurity: These are the new things to worry about in 2023
"Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible," said the Android security bulletin.
Android software updates and security patches should be automatically downloaded onto devices. If auto download isn't turned on, you can search for and download the latest security patch under software update settings. Users can also check which version of Android they're using in phone settings.
Among the other security issues that the latest Android update fixes are a high-severity vulnerability in Android Runtime (CVE-2022-20502) and a high-severity vulnerability in Media Framework (CVE-2022-20496) -both could lead to local information disclosure without an attacker needing additional privileges. A high-severity vulnerability in the Kernal (CVE-2022-23960) could also lead to the same issue.
The full list of vulnerabilities is available on the Android Security Bulletin for December 2022.
While there's no indication that any of the vulnerabilities have yet been used by cyber criminals, applying the security update as soon as possible will help users stay protected from attacks.