7 Nov 2023
Multiple vulnerabilities have been reported in Android which could be exploited by an attacker to obtain unauthorised access without any clicking and exfiltrate sensitive information and/or denial of service, meaning no access to the device.
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-11-05 or later address all of these issues.
Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open-Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.
The most severe of these issues is a critical security vulnerability in the System component that could lead to local information disclosure with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.
Due to FRAMEWORK vulnerabilities, it causes the most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
While SYSTEM vulnerabilities The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
There are vulnerabilities at ARM component, Kernel LTS level and Google Play store level.
Media Tek vulnerabilities are also reported, which can create unauthorised access and execution of arbitrary code.
Qualcomm chip including closed-source components have multiple critical and high vulnerabilities
If your system is not updated after 05 November 2023, then it is vulernable. Even if it is update check if all listed vulnerabilities are closed.
Soon expect attacks in the wild.
Reference: Cert-In - Home Page