This occurs when the user locks the screen of his device and navigates to any website with javascript enabled. In the above scenario, the user will be able to access the device's files, send and receive messages and make calls with the device's SIM card. This can be exploited by a hacker to access the device and steal data. It is recommended that you enable the secure browsing feature to prevent this, which is available in the Google settings. The new Android security updates for Sep-2018 and Mar-2019 introduced Dynamic Lockscreen Prior to SMR and Android S/R update, Improper authorization in Dynamic Lockscreen prior to SMR and Android S/R update allows unauthorized use of javascript interface api. This issue has been patched in Android R and Android S. Update your device to avoid this issue.
How to check if your device is affected by CVE-2022-39862?
To check if your device is affected by CVE-2022-39862, follow these steps:
1. Navigate to Settings > Security & location > Lock screen and security > Dynamic lock settings.
2. If you see the option "Dynamic Lockscreen prior to SMR" set to "On", then your device is not affected by this issue.
3. If you see the option "Dynamic lockscreen prior to SMR" set to "Off", then it means that your device is vulnerable and needs the update released in September, 2018 or March 2019 respectively.
How to check if your device is affected by CVE-2022-3978?
1. You must enable the secure browsing feature in your device settings.
2. Visit "Settings > Security and privacy > Dynamic Lockscreen" and tap on "Manual".
3. Look for the "Dynamic Lockscreen Prior to SMR update" text near the bottom of the screen, and make sure that it says "Enabled" and not any other text.
4. If you don't see this text, then your device isn't affected by CVE-2022-3978
How to update your Android device to avoid this issue?
If you're using an Android device, we recommend that you update to the latest software release. If a future update is not available or if you're unable to update your device, follow the steps below.
1) Open Settings
2) Select Security and turn on Advanced Lock Screen.
3) Enable Dynamic Lockscreen prior to SMR and turn on Allow access to file system.
4) Go back one level in the settings and select Apps & notifications. Then select Advanced and turn on Allow changes only by users with apps installed.
5) Go back one level in the settings and select Apps & notifications again. Then select Force stop and clear data for all apps except for Google Play Services
Android R Security Fixes
How can I check if my device is vulnerable?
Most devices will not be vulnerable to this specific issue because they have the latest security updates installed. You can check your device's security level by going to 'Security & location' settings. If you are not sure about the update, or your device is still vulnerable and has not been updated, you can choose to install the update manually from your mobile provider or Google Play Store.
Timeline
Published on: 10/07/2022 15:15:00 UTC
Last modified on: 10/12/2022 01:44:00 UTC