Project Zero – Google’s zero-day vulnerability research group – suggests that millions of phones with Mali GPUs are at risk of the exploit, despite ARM providing a patch months ago.
Experts report 5 security flaws for phones with Mali GPUs, in particular Exynos SoCs. Project Zero says it notified ARM (the company that makes graphics processors) about the flaws back in the summer, which it addressed in July and August. However, smartphone manufacturers, including Samsung, Xiaomi, Oppo and Google itself, have yet to issue a patch to address the vulnerabilities as of earlier this week.
“One of these issues led to kernel memory corruption, another to physical memory addresses being exposed in user space, and the remaining three to a Use-After-Free physical page. This would allow attackers to continue reading and writing physical pages after they are returned to the system,” Ian Beer of Project Zero wrote in a blog post.
Beer noted that a hacker could gain full system access by bypassing Android’s permission model and gain “broad access” to user data. And specifically by forcing the kernel to reuse the aforementioned physical pages as page tables.
Project Zero says that three months after ARM fixed the issues, all test devices are still vulnerable to the flaws. As of Tuesday, the vulnerability had not been mentioned in “any future security bulletins” from Android manufacturers.
Become a professional IT recruiter and earn $1,800 in just two years
Google, Samsung, Oppo and Xiaomi have yet to comment on when they will roll out the patch to their Android devices or why it has taken so long. As SamMobile points out, Samsung’s Galaxy S22 series devices and the company’s Snapdragon-based phones do not suffer from these issues.
Apple has released an emergency patch for iOS and iPadOS 16 that addresses the zero-day vulnerability