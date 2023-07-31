Google has released its annual report on 0-day vulnerabilities, revealing the exploitation trends of 2022 and shedding light on a persistent issue in the Android platform. The report highlights the problem of n-days in Android, which function as 0-days for threat actors.

The complexity of the Android ecosystem is the root cause of this problem. It involves multiple steps between the upstream vendor (Google) and the downstream manufacturer (phone manufacturers), which leads to significant differences in security update intervals among different device models. Additionally, short support periods and responsibility mixups contribute to the issue.

Zero-day vulnerabilities are software flaws that are known before a vendor discovers or fixes them. This allows them to be exploited in attacks before a patch is available. On the other hand, n-day vulnerabilities are ones that are publicly known, with or without a patch.

Google warns that attackers can exploit n-days to attack unpatched devices for months, using known methods of exploitation or devising their own, even if a patch has already been made available by Google or another vendor.

This is mainly due to patch gaps, where a bug is fixed by Google or another vendor, but it takes several months for a device manufacturer to roll out the fix in their own versions of Android. These gaps allow n-days to function as 0-days, as there is no readily available patch for the user to apply.

In 2022, several instances of this problem affected Android users. One notable example is the vulnerability CVE-2022-38181, a flaw in the ARM Mali GPU. The flaw was reported to the Android Security team in July 2022, but it wasn’t deemed a priority and remained unpatched until April 2023. Exploitation of this flaw continued for six months after ARM released a fix.

Another notable case is the flaw CVE-2022-3038, a sandbox escape flaw in Chrome 105. Although it was patched in June 2022, it remained unaddressed in vendor browsers based on earlier Chrome versions, such as Samsung’s ‘Internet Browser.’ This flaw was exploited in December 2022 alongside another flaw, CVE-2022-22706, which affected the ARM Mali GPU kernel driver.

Even after Google releases the Android security update, it can take up to three months for device vendors to make the fixes available for supported models. This delay gives attackers an additional window of opportunity to exploit specific devices.

The report highlights that these patch gaps effectively make n-days as valuable as zero-days for threat actors. In some cases, n-days may be even more useful, as technical details and potential proof-of-concept exploits have already been published, making it easier for attackers to abuse them.

On a positive note, Google’s report shows a decrease in zero-day flaws compared to 2021, with 41 vulnerabilities discovered in 2022. The browsers category also saw a significant drop, down to 15 flaws from 26 in 2021.

Additionally, the report reveals that over 40% of the zero-day vulnerabilities found in 2022 were variants of previously reported flaws. This suggests that bypassing fixes for known vulnerabilities is often easier for threat actors than finding new zero-days that can be exploited in similar attack chains.