Four vulnerabilities in Qualcomm and Mali GPUs are being actively exploited in the wild

nanoguy

Posts: 799   +12
Staff member
Why it matters: A set of vulnerabilities affecting kernel drivers for Qualcomm and Mali GPUs in millions of Android phones has been exploited in the wild. Google Pixel devices are the only ones patched so far, but the perennial problem of delayed updates for other Android devices remains.

Earlier this month, users were notified of a critical security flaw present in Qualcomm chips powering hundreds of millions of Android devices, as uncovered by security firm Check Point. This week, Google updated the Android Security Bulletin for May to reflect the fact that four of those vulnerabilities disclosed on May 1 have been exploited in the wild.

The initial report listed no less than 42 vulnerabilities that were patched in the May 2021 security update, but at the time the company had no knowledge that any was being actively exploited. New data indicated that four of them may be under "limited, targeted exploitation," which at first seemed a little vague.

Google Project Zero researcher Maddie Stone sought to clarify that these are indeed 0-day flaws from a growing list that's been observed since the beginning of this year.

Two of the flaws affect Qualcomm GPUs in hundreds of chipsets, including the latest 5G-enabled ones like the Snapdragon 768G and Snapdragon 888.

The other two vulnerabilities affect the kernel driver for Arm Mali GPUs (used in millions of Android devices) and its importance cannot be understated, as they allow an attacker to take complete control over your phone.

Asaf Peleg, vice president of security firm Zimperium, told Ars Technica that "from elevating privileges beyond what is available by default to executing code outside of the current process’s existing sandbox, the device would be fully compromised, and no data would be safe."

Google Pixel users should be able to install a patch already to mitigate the risks, but everybody else will have to wait until Samsung, Motorola, Nokia, LG (who retired its phone division), OnePlus, and other Android device manufacturers release an update for your phone. Peleg speculates these four security flaws would only be exploited by state-sponsored actors looking to extract the private information of high-profile individuals or organizations.

In related news, researchers found 23 Android apps exposed the sensitive data of over 100 million users. The more worrying aspect of this particular breach is that it wasn't a result of flaws in the Android operating system, but poor implementations of the apps themselves and how they handle your data.

Permalink to story.

 

trparky

Posts: 921   +973
And if you have a two-year-old phone (or gasp, an even older phone), you're going to be SOL. Why people don't demand better from the Android OEMs considering how much many of these devices cost, I'll never know. Come on people, wake the f*** up and start demanding that the OEMs support their devices for more than a few stupid months.

I hate to say this because I know I'm going to be flamed to hell and back, but this is why I bought an iPhone. Guaranteed updates for as long as five years. Yeah...
 

slamscaper

Posts: 275   +83
And if you have a two-year-old phone (or gasp, an even older phone), you're going to be SOL. Why people don't demand better from the Android OEMs considering how much many of these devices cost, I'll never know. Come on people, wake the f*** up and start demanding that the OEMs support their devices for more than a few stupid months.

I hate to say this because I know I'm going to be flamed to hell and back, but this is why I bought an iPhone. Guaranteed updates for as long as five years. Yeah...

I do understand your point, as many Android handsets are not supported nearly long enough.

That said, I have to say that I've had good experiences with my high-end Samsung phones. I've owned the Note models 3, 5, and now the Note 8. The Note 8 will be four years old come this September. That's crazy, considering it's still a powerful handset that runs Android Pie very well. Mine has 64GB of memory and supports 256GB SD cards. I have a 128GB card in it and that's plenty for what I use it for.

Anyway, you'd think that a phone this old would have stopped getting updates a long time ago. But it hasn't. I just received a FW update on April 8th and my security patch level is December of 2020. I fully expect a security patch level to mitigate this flaw, unless the latest FW update somehow addressed it. The last update was the first mandatory FW update I've seen in a long time. My phone usually gives me the option to reschedule the update, however I was more or less forced to install the April 8th update immediately. I figured it must have been security related since I could only delay the installation by a short time, but after reading about these vulnerabilities I'm going to check the specific changes on my software version.

I admit, I don't like the idea of being unpatched for these flaws. Android really needs to be a seamless update to all phones. They need to figure this out, although it would take quite a feat from Google to accomplish this. They simply have to lay down the law with OEM's, even if it costs them money in the beginning. They shouldn't worry about Samsung creating their own OS or anything, because we all know Samsung's software is complete shite.
 
Last edited: