In an annual report that presents statistics of identified exploits from 2022, Google shed light on the Android system’s long-term problem involving known exploits that are generally left unfixed for long periods.

The report specifically emphasized the degree of threat posed by n-days exploits, said to be of the same caliber as 0-days when leveraged by threat actors.

Gravitating around the Android ecosystem, the issue illustrates the intricate nature of updates, with the many steps required between the upstream vendor and the downstream manufacturer, which highlights the gap between security updates relative to various device models, mixups in responsibility, and short periods of support, among other issues.

In technical terms, 0-day vulnerabilities are flaws that were identified before a vendor become cognizant of it or issues a fix for it, rendering the system susceptible to attacks in the interim.

From being a “0-day vulnerability,” the bug would then be classified as “n-days vulnerability” as soon as the public is made aware of the glitch, whether or not there is a fix in place.

In simpler terms, 0-day is when a flaw is known but not yet to Google, subsequently becoming n-days as soon as Google becomes informed—with “n” signifying the number of days since the flaw is made known to the public.

Despite a patch being available by either Google or the vendor in response to the reported defect, Google warns of a big window for opportunity for attacks considering the extent of time when the update reaches the intended recipients, often lasting months at a time.

Although the Google report justifies the delay as somewhat commonplace among most upstream/downstream relationships, it also states that the issue is more common and takes a longer period in Android.

With the device pretty much wide open for attacks due to its susceptibility until the patch arrives, Google claims that the only way to protect it is to temporarily stop using it.

Leave a comment

Your email address will not be published. Required fields are marked *