The Hidden Dangers of Android’s Patch Delays: N-Days Masquerading as Zero-Days

Google’s annual 0-day vulnerability report has brought to light a persistent issue within the Android platform that increases the risk and usage of disclosed vulnerabilities for extended periods. The report underscores the problem of n-days in Android functioning as 0-days for threat actors.

The Android Ecosystem: A Complex Web

The Android ecosystem’s complexity, involving several steps between the upstream vendor (Google) and the downstream manufacturer (phone manufacturers), contributes to this issue. Factors such as significant discrepancies in security update intervals between different device models, short support periods, and responsibility mixups exacerbate the problem.

A zero-day vulnerability is a software flaw known before a vendor becomes aware or fixes it, allowing it to be exploited in attacks before a patch is available. However, an n-day vulnerability is one that is publicly known with or without a patch.

The Hidden Threat of N-Days

Google warns that attackers can use n-days to attack unpatched devices for months, using known exploitation methods or devising their own, despite a patch already being made available by Google or another vendor. This is caused by patch gaps, where Google or another vendor fixes a bug, but it takes months for a device manufacturer to roll it out in their own versions of Android.

Real-World Examples

In 2022, many issues of this kind impacted Android, most notably CVE-2022-38181, a vulnerability in the ARM Mali GPU. This flaw was reported to the Android Security team in July 2022, deemed as “won’t fix,” patched by ARM in October 2022, and finally incorporated in the Android April 2023 security update. This flaw was found to be exploited in the wild in November 2022, a month after ARM released a fix.

Other notable vulnerabilities include CVE-2022-3038, a sandbox escape flaw in Chrome 105, and CVE-2022-22706, a flaw in the ARM Mali GPU kernel driver. Both of these flaws were exploited in December 2022 as part of an attack chain that infected Samsung Android devices with spyware.

The Patch Gap: A Window of Opportunity for Threat Actors

This patch gap effectively makes an n-day as valuable as a zero-day for threat actors who can exploit it on unpatched devices. Some may consider these n-days more useful than zero-days as the technical details have already been published, potentially with proof-of-concept (PoC) exploits, making it easier for threat actors to abuse them.

The good news is that Google’s 2022 activity summary shows that zero-day flaws are down compared to 2021, at 41 found, while the most significant drop was recorded in the browsers category, which counted 15 flaws last year (was 26 in 2021).

Another notable finding is that more than 40% of the zero-day vulnerabilities discovered in 2022 were variants of previously reported flaws, as bypassing fixes for known flaws is usually easier than finding a novel 0-day that can serve on similar attack chains.

Conclusion and Further Reading

The Android patch gap issue underscores the importance of timely patching and the potential dangers of delay. It also highlights the need for a more streamlined process between upstream vendors and downstream manufacturers. This issue is not unique to Android, and it’s a reminder of the broader challenges in cybersecurity, where the discovery of one vulnerability often leads to the discovery of others in the same product, a phenomenon known as the cascading effect of vulnerability discovery.

For a deeper understanding of the cascading effect of vulnerability discovery, we recommend reading this insightful article on Threat Intel Report.