Android n-day bugs pose zero-day threat

In the Android ecosystem, n-day vulnerabilities are almost as dangerous as zero-days, according to Google’s review of zero-days exploited in the wild in 2022.

Android zero-days

N-days functioning as zero-days

Zero-days are software bugs that are unknown to the vendor but known to – and exploited by – threat actors. They become n-days when their existence has been made public, with or without a patch being available.

The problem is considerable in the Android ecosystem, since Google’s Android security team often quickly pushes out patches for zero-days but downstream original equipment manufacturers (OEMs) may take a while to release a fix for users to apply.

“This is a great case for attackers. Attackers can use the known n-day bug, but have it operationally function as a 0-day since it will work on all affected devices,” noted Maddie Stone, Security Researcher at Google’s Threat Analysis Group (TAG).

Additional findings

The report revealed that 41 in-the-wild 0-days have been detected and disclosed in 2022, showing a drop from the 69 reported in 2021.

Also, the number of in-the-wild 0-days targeting browsers dropped by 42% from 2021 to 2022. This could be due to browsers having been made more resilient, but also because of changes in attacker behavior, Google posits.

“Many attackers have been moving towards 0-click rather than 1-click exploits. 0-clicks usually target components other than the browser,” Stone noted.

But what’s even more concerning is that over 40% of the discovered 0-days in 2022 were variants of vulnerabilities that have already been reported but inadequately patched.

The goal should be to make 0-day exploitation harder, by patching them correctly and comprehensively.

“We consider a patch to be complete only when it is both correct and comprehensive. A correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere that it needs to be applied, covering all of the variants,” Stone explained.

“When exploiting a single vulnerability or bug, there are often multiple ways to trigger the vulnerability, or multiple paths to access it. Many times we see vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole. Similarly, security researchers often report bugs without following up on how the patch works and exploring related attacks.”

Finally, 2022 has also been marked by threat actors discovering and exploiting the same 0-day vulnerability.

“Over the last couple of years we’ve become aware of a trend of a high number of bug collisions, where more than one researcher has found the same vulnerability. This is happening amongst both attackers and security researchers who are reporting the bugs to vendors,” Stone noted.

Room for improvement

Despite the considerable improvements shown in the findings, there’s still a lot to keep in mind when it comes to addressing vulnerabilities and ensuring system security.

To adequately protect users, providing patches quickly is crucial. It is also important to conduct a vulnerability root cause analysis and share technical details.

Finally, reported vulnerabilities should be used as learning opportunities to enhance understanding and address them effectively.

“None of this is easy, nor is any of this a surprise to security teams who operate in this space. It requires investment, prioritization, and developing a patching process that balances both protecting users quickly and ensuring it is comprehensive, which can at times be in tension,” Stone concluded.

Don't miss