Google’s team of security researchers called Project Zero has said Android models from various manufacturers are vulnerable to flaws that are now months old.
Security researcher Jann Horn found five exploitable vulnerabilities in the ARM Mali GPU driver, and they affected all Android smartphones with a Mali GPU.
These vulnerabilities allow a bad actor to gain control of an Android smartphone, potentially stealing personal data from the devices.
Project Zero says that they reported the exploits, as they were discovered, to ARM between June and July 2022. These were fixed in July and August 2022.
“One of these issues (2334) leads to kernel memory corruption, one (2331) leads to physical memory addresses being disclosed to userspace and the remaining three (2325, 2327, 2333) lead to a physical page use-after-free condition. These would enable an attacker to continue to read and write physical pages after they had been returned to the system,” Project Zero’s Ian Beer wrote in a blog post.
The team then waited an additional 30 days before full public disclosure and finally, in September 2022, reported the flaws to the public at large.
Then, during routine follow-up bug reports and additional checks, Project Zero discovered that the flaws were still present and that all Android smartphones with Mali GPUs remained vulnerable.
Beer wrote that “minimizing the patch gap” as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.”
Curiously, these patches affect Google’s own Pixel line as well. They also extend to phones from Samsung, Oppo, Xiaomi and more.
In a statement provided to Engadget, a Google spokesperson said, “The fix provided by ARM is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements.”