Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches Critical Remotely Exploitable Android Bug

Google’s March 2020 security updates for Android include fixes for over 70 vulnerabilities, including a critical flaw in media framework. 

Google’s March 2020 security updates for Android include fixes for over 70 vulnerabilities, including a critical flaw in media framework. 

The critical bug was patched as part of the 2020-03-01 security patch level, which addresses a total of 11 vulnerabilities in framework, media framework, and system. 

The critical vulnerability is a remote code execution flaw tracked as CVE-2020-0032, which impacts devices running Android 8.0, 8.1, 9, and 10. 

According to Google’s advisory, the vulnerability “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”

Other two flaws were addressed in the media framework, both rated high severity, namely an elevation of privilege (CVE-2020-0033) and an information disclosure (CVE-2020-0034). The former impacts Android 8.0, 8.1, 9, and 10, while the latter only impacts Android 8.0 and 8.1.

One issue was addressed in framework this month, namely a high risk information disclosure tracked as CVE-2020-0031. Only devices running Android 10 are impacted. 

All the remaining 7 vulnerabilities addressed with the 2020-03-01 security patch level impact system and all feature a high severity rating. These include two elevation of privilege issues and five information disclosure bugs. 

The second part of this month’s set of patches arrives on devices as 2020-03-05 security patch level and includes reference to 60 vulnerabilities. The flaws impact system, kernel components, FPC, MediaTek, Qualcomm, and Qualcomm closed-source components.

The vulnerability in system is CVE-2019-2194, an elevation of privilege rated high severity and impacting Android 9. 

All four of the flaws impacting kernel components could lead to elevation of privilege. They impact USB, networking, and binder. 

Of the six vulnerabilities patched in FPC Fingerprint TEE, three are rated high risk and could lead to elevation of privilege, while the other three are rated moderate severity and could lead to information disclosure. 

All of the bugs fixed in Qualcomm components feature a high severity rating. They were found to impact USB, WLAN, Audio, and Graphics. 

A total of 40 vulnerabilities in Qualcomm closed-source components are referenced in the March 2020 Android security bulletin. Of them, 16 are rated critical severity, while the remaining are considered high risk. 

The last vulnerability patched as part of the 2020-03-05 security patch level is a high severity flaw in MediaTek components that could lead to elevation of privilege. Tracked as CVE-2020-0069, the issue resides in the Mediatek Command Queue driver. 

According to XDA-Developers, the vulnerability was initially disclosed in April 2019 and MediaTek released a patch for it the next month. The flaw apparently impacts all of the maker’s 64-bit chips and an exploit for it has existed for over a year, allowing users to obtain root on their devices. 

“This is a vulnerability within approximately two dozen MediaTek chipsets that are in millions of Android devices. Because this is a hardware vulnerability, it cannot be patched by Google with an over the air update to the Android operating system. If you have a device running a MediaTek chipset, you should add mobile security that detects when your device is rooted by a third party to protect from attacks using this vulnerability,” Lookout’s Chris Hazelton told SecurityWeek in an emailed comment.

“IT and security teams for organizations should identify Android devices with MediaTek chips that are vulnerable. If your organization has vulnerable devices used by employees, those devices should be monitored and eventually replaced,” Hazelton continued.

This month, Google also published a large security bulletin for Pixel devices, which describes over 50 additional vulnerabilities that are patched on Google devices running security patch levels of 2020-03-05 or later.

These include three vulnerabilities in framework, four in media framework, sixteen in system, twenty four in kernel components, four in Qualcomm components, and two in Qualcomm closed-source components. 

The addressed flaws include remote code execution, elevation of privilege, and information disclosure bugs, the vast majority of which are rated moderate severity. 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.