Google published its monthly security bulletin for August on Monday, detailing the latest available patches for Android.
A total of 37 vulnerabilities have been patched, including a critical security flaw in the System component that could lead to remote code execution via Bluetooth with no additional execution privileges needed.
The Bluetooth vulnerability is tracked as CVE-2022-20345 and has been patched on Android 10, 11, 12 and 12L.
The remaining flaws that were patched in Google’s August security bulletin were assigned a high severity rating as many of them could lead to privilege escalation or information disclosure.
They impacted respectively components like Framework, Media Framework, System, Kernel, Imagination Technologies, MediaTek, Unisoc and Qualcomm components.
The bulletin has two security patch levels to give Android partners the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly.
“Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level,” read the bulletin. “Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.”
More generally, security vulnerabilities are split between Google’s bulletin and device / partner security bulletins due to the fact that Android device and chipset manufacturers may also publish security vulnerability details specific to their products.
And while security vulnerabilities that are documented in Google’s security bulletin are required to declare the latest security patch level on Android devices, the same does not apply to additional security vulnerabilities that are documented in device / partner security bulletins.
The complexity of Android’s patching system across different manufacturers represents a security issue for the operating system, but Google is regularly pushing out updates to fix as many vulnerabilities as possible as soon as they became known.
Still, cyber-attacks targeting Android remain common. Just over a month ago, for instance, security researchers from Cleafy spotted a new Android Banking Trojan they dubbed Revive.