Kryptowire Advises to Proactively and Regularly Patch Smart Devices
Kryptowire Inc., a mobile security and privacy solutions company, today publicly announced the discovery of a major security vulnerability (CVE-2021-0706) affecting all Android devices and vendors running Android versions 10 & 11. First discovered in July 2021, Google considered the vulnerability to be of "high" severity and offered a patch within three months. However, on average, only a minority of users (17%) installed an update on the day of its release and the update rate significantly drops over the period of 102?days, with only 53.2% of users, on average, updating within a week¹. With more than 50% of Android tablet and mobile users currently running Android 10 & 11², Kryptowire encourages Android users to routinely update their devices to prevent exploitation.
This particular vulnerability, discovered by Kryptowire, allowed unauthorized apps to make device-level changes, which could be used to disable apps providing security defenses, hold the device for ransom, cause the device to persistently crash at boot (requiring the user to wipe the device to recover it, resulting in potential data loss), bypass third-party lock-screen apps, disable competitor apps, among other uses.
The vulnerability was discovered during a routine scan of a pre-production device with Kryptowire's Mobile Application Security Testing (MAST) solution, which enables companies to proactively detect security weaknesses and vulnerabilities in mobile apps. Kryptowire discovered the vulnerability in a pre-installed app called System UI, where users were exposed to unauthorized privilege escalation and local Denial of Service (DoS) attacks. The System UI application is present in core Android code, which affects all Android vendors. A patch, released in October 2021, remediates this vulnerability. According to StatConter, more than 50% of Android tablet and mobile users are currently running Android 10 & 11.
For more technical information on the vulnerability visit: https://www.kryptowire.com/blog/Disabling-Arbitrary-App-Components-Vulnerability-in-AOSP
About Kryptowire MAST
Kryptowire Mobile Application Security Testing (MAST) allows organizations and users to scan devices for security and privacy vulnerabilities. As mobile devices become the focal point of users in both their personal and professional lives, the far-reaching impact of potential security and privacy vulnerabilities continues to increase and threat actors are targeting mobile devices with greater prevalence.
"The best way to prevent security disasters is to stay one step ahead of bad actors," said Alex Lisle, CTO, Kryptowire. "To that end, we often collaborate with industry manufacturers to run a proverbial joint offense. Last year, we were grateful for the opportunity to work with Google and Android to help them neutralize a major vulnerability before it became a threat."
About Kryptowire Inc.
Kryptowire is a leader in cloud-based mobile security and privacy solutions, delivering end users and businesses the peace of mind that comes with privacy-first mobile security. Our mission is to make privacy-first mobile security more efficient, effective, and accessible to people and organizations around the world.
¹ A study publicized by Journal of Cybersecurity
² According to StatCounter