Android phones with a Qualcomm chipset are vulnerable to various WiFi attacks that could allow an attacker to execute code on the device remotely. Google has released updates during the monthly patch cycle to address the issues. The updates are available for Android 10, 11, 12, 12L and 13.
This month, Google has fixed a total of 42 vulnerabilities with the monthly Android update, four of which have been identified as critical. In addition to security vulnerabilities in its own Android code, it also concerns vulnerabilities in software from manufacturers such as MediaTek and Qualcomm.
Vulnerabilities addressed include a critical vulnerability in the Android Framework that could allow a rogue app or attacker with local access without additional permissions to elevate its privileges. Local "escalation of privilege" vulnerabilities, as the issue is called, are rarely labeled critical, indicating a serious vulnerability.
The remaining three critical vulnerabilities (CVE-2022-25720, CVE-2022-25718, and CVE-2022-25748) are present in Qualcomm's Wi-Fi host and Wi-Fi firmware. While connecting to a Wi-Fi network, roaming, processing the authentication handshake and processing GTK frames, memory corruption can occur, among other things, which can lead to a buffer overflow. This allows an attacker to run his own code on the device. The impact of CVE-2022-25720 and CVE-2022-25748 has been rated 9.8 on a scale of 1 to 10. CVE-2022-25718 has been awarded an impact score of 9.1.
Google works with so-called patch levels, where a date indicates the patch level. Devices that receive the October updates will have '2022-10-01' or '2022-10-05' as patch level. Manufacturers who want their devices to get this patch level should in this case add all updates from the October Android bulletin to their own updates, and then roll them out to their users. The updates have been made available for Android 10, 11, 12, 12L and 13.
Manufacturers of Android devices were informed at least a month ago about the vulnerabilities that have now been fixed, according to Google, and have been able to develop updates in that time. However, that does not mean that all Android devices will receive these updates. Some devices are no longer supported with updates from the manufacturer or the manufacturer releases the updates at a later time.