Google announced Monday that it has discovered a critical security flaw in the Android operating system that could potentially allow an attacker to remotely execute code on the device. “without requiring additional permissions to run”. The issue has been assigned CVE-2023-40088. The company will soon release a security update that should fix this bug.
Google has not disclosed details about the vulnerability identified as CVE-2023-40088. It is known to belong to the “System” category and apparently can be used to remotely download and install malware on a device via Wi-Fi, Bluetooth or NFC without the gadget’s owner knowing about it.
Although this vulnerability can be exploited remotely, it is important to note that the attacker must be relatively close to the potential victim’s device.
Google hasn’t said how the vulnerability was discovered or whether there are cases of attackers exploiting it. The company will release patches to address the CVE-2023-40088 vulnerability for Android 11, 12, 12L, 13 and the latest version of Android 14 via the Android Open Source Project in the coming days. Device manufacturers can then distribute the patch through their update channels. The update will be sent to device manufacturers in the next few days. After that, every Android device OEM will have to push a fix to its users. Google Pixel phones may be the first to receive the update, but timing may vary for other brands.
In the notes for December Security bulletin Google also said it discovered several additional critical privilege escalation and information disclosure vulnerabilities in the Android mobile operating system that impact components of the Android framework and system. Given the severity of the issues, Android device owners are advised to keep a close eye on the December security updates and install them as soon as they become available.