It’s never good news when a security researcher discovers four serious vulnerabilities in devices from a major hardware manufacturer, but you can rest easy: The damage in this case has already been mitigated.
If you own a Lenovo tablet, a Vibe or Zuk phone, or an older Motorola model (the Moto M or the Moto E3), you need to patch it ASAP — if it hasn’t already updated on its own.
This information comes from Lenovo’s support website, which thanks security researcher Imre Rad for finding four major flaws in the Lenovo Service Framework (LSF) software that Lenovo adds to its Android devices. The LSF lets apps push notifications into the user’s taskbar, but Rad discovered that a savvy hacker could leverage them to either steal sensitive information or inject remote code, all without a legitimate user’s input.
The exact details of the vulnerabilities aren’t available yet, which is probably good since users will need a little time to patch their devices. Android phones and tablets are pretty good about applying security updates on their own (or at least nagging users relentlessly about doing so), but if you haven’t downloaded a system patch lately, here’s how to do it:
First, ensure that your system itself is up to date by accessing System Updates in the Settings Menu. Tap Check for update, and follow the instructions, if necessary. If that’s all good, go to the Google Play Store and tap My apps & games. If the system finds any updates, tap Update All. There are more granular ways to do this, but that’s the most foolproof.
When that’s finished, go to Settings, Apps and Device Service. The version number should be V220.127.116.113, or higher. If it’s not, visit Lenovo’s download page and nab the appropriate APK, depending on whether you’re dealing with a smartphone or a tablet. In your Downloads app, tap the APK and let it install. (It may ask you to fiddle with your settings to allow third-party app installations. Go ahead and do so for now, but disable it again after the update.)
That’s pretty much it. A hawkeyed security researcher has preemptively outwitted the cybercriminals once again, and all you have to do to benefit is apply a simple update to your phone or tablet. There’s also no evidence that malefactors could exploit the vulnerability on newer Motorola phones, so most Moto owners can rest easy.