A critical vulnerability in Android can be exploited without clicks – francoischarron.com

In its security bulletin for December 2023, Google reveals the existence of a significant security flaw. More specifically, the bug affects phones and tablets running Android 11, 12, 12L, 13 and 14 systems. This bug allows a hacker to take control of the device without having to click anything. . A security patch is delivered via an update, but not everyone is eligible for it at the same time.

Android phone and tablet owners know that one must be extremely careful with this system as it poses many threats.

Not only do we need to be wary of fake applications on the Play Store, but also APK files, phishing, etc.

With its so-called open system, Android opens the door to more risks.

While most of these risks require action on our part (downloading an application, a file, or clicking on a link), there are also threats where we can be affected without even doing anything!

What risks does CVE-2023-40088 pose?

These threats are known as “zero-click” vulnerabilities and Google has revealed the existence of such a vulnerability in its security report.

This bug is codenamed: CVE-2023-40088.

Unsurprisingly, Google revealed that this is a critical bug. However, the Mountain View company remains unclear about the actual nature of the flaw and how it can be exploited. This is because they don’t want to give the recipe to hackers.

So we can read in their press release:

The most serious of these issues is a critical security vulnerability in the system component that could lead to remote (proximal/adjacent) code execution without requiring additional execution privileges. No user interaction is required for operation.

In summary, a hacker can completely take control of our device without us even clicking anything!

How is it possible?

Again, we don’t know for sure, but generally zero-click vulnerabilities exploit a vulnerability in the system and spread either through:

  • Emails
  • Text/SMS
  • Social networks
  • Robocalls
  • Malicious websites
  • Messaging apps

This way we can quickly see how serious an incorrect size is!

Which Android versions are affected by the security vulnerability?

This error affects phones and tablets running:

  • Android 11
  • Android 12
  • Android 12L
  • Android 13
  • Android 14

To find out the version of your Android device, just go to: Settings -> system -> Over the phone -> Android version.

How do I properly secure my phone and tablet?

Google has released an emergency update to address the CVE-2023-40088 vulnerability via the Android Open Source Project.

The problem is that not all devices can be equipped with it at the same time.

Since there are several manufacturers of Android devices (Samsung, Motorola, HTC, etc.), it is up to each manufacturer to roll out the update for their devices.

We therefore have to regularly check whether a new update is offered on our device.

How do I check and perform updates on Android?

To check if a new update is available and install it, you must:

  • Open it Settings
  • Select tab: system
  • To move on: System update
  • On some loads: Check for updates
  • Note that the exact wording may change from manufacturer to manufacturer, while we’re using that of Google’s Pixel phones.

    For example, on a Samsung phone, just go to Settings and then scroll to the Software Update tab.

    It’s also possible to simply type “update” in the Settings search bar to be redirected to the correct location.

    What to do if no updates are available?

    As already mentioned, not all Android devices have access to the update at the same time.

    What do we do if we are not offered the update? How do we protect ourselves from a vulnerability that can be exploited without our intervention?

    The only answer is to get a good mobile antivirus.

    Even if our phone has a basic protection solution (Knox on Samsung for example), the fact remains that these systems need to be updated to detect threats.

    If our phone does not have access to new updates, this type of defense solution will no longer be updated! So you can’t identify the threat…

    For this reason, it is always recommended to have a good mobile antivirus, as the solutions of major cybersecurity companies are constantly updated to detect the latest threats.