Android's December security update fixes over 80 security vulnerabilities affecting smartphones -including four flaws classed as critical. 

According to Google's Android security bulletin for December 2022, the most severe vulnerability is one in Android's System component, which could allow attackers to remotely execute code over Bluetooth without the need for device permissions.  

The four critical vulnerabilities affect Android versions 10 to 13. Two of them -CVE-2022-20411 and CVE-2022-20498 -are in the System component of the Android operating system, while the other two -CVE-2022-20472 and CVE-2022-20473 -are in Android's Application Framework and could allow attackers to remotely execute code, with no additional execution privileges needed. 

Security

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next

Google hasn't yet provided full details about how exactly the vulnerabilities work. That approach follows the company's usual procedure of not disclosing information on how attacks take place in order to avoid providing attackers clear instructions on how to exploit the vulnerabilities before users are protected by the latest update, which users are urged to apply as soon as possible. 

Also: Cybersecurity: These are the new things to worry about in 2023   

"Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible," said the Android security bulletin. 

Android software updates and security patches should be automatically downloaded onto devices. If auto download isn't turned on, you can search for and download the latest security patch under software update settings. Users can also check which version of Android they're using in phone settings. 

Among the other security issues that the latest Android update fixes are a high-severity vulnerability in Android Runtime (CVE-2022-20502) and a high-severity vulnerability in Media Framework (CVE-2022-20496) -both could lead to local information disclosure without an attacker needing additional privileges. A high-severity vulnerability in the Kernal (CVE-2022-23960) could also lead to the same issue. 

The full list of vulnerabilities is available on the Android Security Bulletin for December 2022.

While there's no indication that any of the vulnerabilities have yet been used by cyber criminals, applying the security update as soon as possible will help users stay protected from attacks. 

MORE ON CYBERSECURITY

• 5 quick tips for better Android phone security right now
• Android security warning: These crooks phone you and trick you into downloading malware
• Google warns: Android 'patch gap' is leaving these smartphones vulnerable to attack
• Time to update: Google Chrome browser patches high-severity security flaw
• These cybersecurity vulnerabilities are most popular with hackers right now - have you patched them?