Last week, Google released the latest Android Q security release notes published to the Android Open Source Project (AOSP) security bulletin update. Per this update, there are 193 Android security vulnerabilities in the latest version of Android. These include elevation of privilege, remote code execution, information disclosure and denial of service categories. Two are in the Android runtime, two in the library and 24 in the framework. The Android media framework has 68 vulnerabilities and the Android system has 97. All have been defined with “moderate” severity.
These issues Google says are fixed in the default Android 10 patch level of 2019-09-01 on the release of the new OS. “Android Q, as released on AOSP, has a default security patch level of 2019-09-01. Android devices running Android Q and with a security patch level of 2019-09-01 or later address all issues contained in these security release notes,” reads the update. The update specifies that “Google has had no reports of active customer exploitation or abuse of these newly reported issues.”
At the Google I/O in May, Google had released Android Q beta 3. With this new release, Google announced that Android Q will double down on security and privacy features, such as a Maps incognito mode, reminders for location usage and sharing (such as only when a delivery app is in use), and TLSV3 encryption for low-end devices. Security updates will also roll out faster, updating over the air without a reboot needed for the device. The last Beta update for Android Q was rolled out in August as Beta 6.
Other privacy announcements announced for Android Q so far by Google include:
- Scoped storage: There are new limits on access to files in shared external storage.
- Device Location: Android Q has a new user option to allow access to device location only while using your app in the foreground
- Background App Starts: There are new restrictions on launching activities from the background without user interaction
- Hardware Identifiers: Restrictions on access to device hardware identifiers such as IMEI, serial number, MAC, and similar data
- Camera And Connectivity: Android 10 has restrictions on access to full camera metadata, and FINE location permission now required for many connectivity workflows.
Android has been the target of hackers for a long time. Recently, in July, Check Point researchers reported a new mobile malware attack called ‘Agent Smith’ which infected around 25 million Android devices. This malware is being used for financial gains through the use of malicious advertisements. The malware, concealed under the identity of a Google-related app, exploited known Android vulnerabilities and automatically replaced installed apps with their malicious versions, without any consent of the user.