Google yesterday rolled out security patches for the Android mobile operating system but did not include the fix for at least one bug that enables increasing permissions to kernel level.

Security flaws that enable privilege escalation can be exploited from a position with limited access to one with elevated access to critical files on the system. In order to utilize this, an attacker should have already compromised the device but have their actions restricted by insufficient permissions.

No ETA for the fix

The Android Security Bulletin for September includes fixes for a couple of critical vulnerabilities in the media framework and a load of high-severity bugs. But vulnerability reported today is not on the list.

The vulnerability exists in the driver for the Video For Linux 2 (V4L2) interface used for video recording. It is estimated as a high-severity zero-day so it does not have an identification number yet.

"The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel."

The kernel is the part of the operating system with the highest privileges. This level of permissions can be used by a malicious application to run code that can lead to full system compromise.

Discovery of the vulnerability is credited to Lance Jiang and Moony Li of TrendMicro Research, who reported it through the Zero Day Initiative (ZDI) program.

Google learned about it in March and acknowledged it. The company, though, said that a fix would become available but gave no date for delivering a patch.

Without an official solution for this security risk, mitigating it falls in the hands of the user. Brian Gorenc, director of Trend Micro’s ZDI program told BleepingComputer that users should be careful with the apps they install on their Android devices.

"They should only load known-good apps directly from the Google Play store and avoid side-loading apps from third parties."

ZDI calculated a severity score of 7.8 out of 10 and deems that exploiting it requires a more advanced adversary capable to deploy a complex attack.

This makes it unattractive to most hackers, but a motivated attacker would not pass the opportunity to use this flaw for persistent presence and complete take over of a target's system.

Gorenc told us that ZDI has no knowledge of any attacks leveraging this vulnerability prior to public disclosure.

Android more secure, for now

Infosec experts seem to have changed for the better their opinion about Android's built-in security.

Exploit broker Zerodium this week increased the payouts for zero-day acquisition, offering $2.5 million for full-chain exploits that achieve persistence on Android. This 25% more than for Apple's iOS.

Zerodium's CEO, Chaouki Bekrar, explains this by saying that Android's security is improving with each release, while the number of iOS exploits has been on the rise over the past few months.

Security researcher the Grugq shares the same opinion, although he admits his bias in this. "Android is a much safer platform than iOS," he says on Twitter.

I sell secured Android smartphones.



Android is a much safer platform than iOS. The ecosystem is garbage. The tracking is a nightmare.



My secured phone is hardened, has a walled garden, and strictly limited tracking.



I trust secured Android over iOS. — thaddeus e. grugq (@thegrugq) September 3, 2019

"Android has become incredibly more resilient, and due to diversity much harder to attack," the Grugq says. He acknowledges that it is easy to infect an Android with malware from the PlayStore or unofficial repositories but a full exploit chain that works across a large range of devices is a rare thing.