A new zero-day is under active exploitation in the wild targeting Android users. Though the bug has already received the fix, it is still a severe security issue for most of the Chinese phones with modified OS or phones will no OS / Security updates.
This vulnerability, CVE-2020-11261, is a high-severity bug and has received a CVSS score of 8.4. It exploits the Qualcomm chipsets, more precisely, the Graphics component for display. The bug is an improper input validation issue. As described in Qualcomm’s advisory,
“Memory corruption due to improper check to return an error when user application requests memory allocation of a huge size”
The vulnerability first caught the attention of the Google Android Security team in July 2020. They then reported the matter to Qualcomm for a fix. Recently, Qualcomm has patched the vulnerability in January 2021 that Google mentioned in its Android Security Bulletin for January 2021. Yet, the bug is continuously being exploited for targeted cyber-attacks around the world.
Despite being serious, the vulnerability has a limitation of local access to the target device. Hence, it rules out the possibilities of remote attacks (easily) that may wage massive hacking campaigns. However, the bug still went under attack as the hackers are exploiting it to specifically aim at certain targets.
Also, attackers employing watering hole attacks may exploit the vulnerability. Therefore, Android users should ensure updating their devices with the latest Android Security patch update. While it’s always recommended to keep all devices up-to-date with the latest software, in the case of security bugs, it is even more important. Whereas, for this zero-day, users should rush to update their Android devices given the active exploitation of the flaw. For the devices, which are not under software or security patch support, it is recommended to procure a good anti-exploit solution to protect the device as well as the data.