Google says Google and other Android makers failed to patch security flaws
revealed several security vulnerabilities for phones with Mali GPUs, such as those with Exynos chipsets. From the company the team says they have reported the issues to (which produces the GPUs) in the summer. ARM fixed the issues on its end in July and August. However, smartphone makers including Samsung, Xiaomi, Oppo and Google itself had not deployed patches to address the vulnerabilities as of earlier this week, Project Zero said.
Researchers identified five new issues in June and July and promptly reported them to ARM. “One of these issues led to kernel memory corruption, one led to the disclosure of physical memory addresses to user space, and the other three led to a physical page usage condition. after release,” said Ian Beer of Project Zero. . “These would allow an attacker to continue reading and writing physical pages after they return to the system.”
Beer noted that it would be possible for a hacker to gain full access to a system because they could bypass the permissions model on Android and gain “broad access” to a user’s data. The attacker could do this by forcing the kernel to reuse the aforementioned physical pages as page tables.
Project Zero found that three months after ARM fixed these issues, all of the team’s test devices were still vulnerable to the flaws. As of Tuesday, the issues weren’t mentioned “in any downstream security bulletins” from Android makers.
Engadget has reached out to Google, Samsung, Oppo, and Xiaomi to ask when they’ll be rolling out the patches to their Android devices and why it’s taken them so long to do so. As notes, Samsung’s Galaxy S22 series devices and the company’s Snapdragon-powered handsets are not affected by these vulnerabilities.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices correct at time of publication.