A new security flaw with phones using ARM Mali GPUs was found by Google a few days ago. In essence, Google’s Project Zero team discovered a serious kernel-related flaw in all smartphones, including MediaTek and Exynos, which use the Mali GPU. The manufacturer of GPUs, ARM, was allegedly informed of the problem by the brand, and the security flaw was subsequently patched. However, no other Android OEMs, including Google itself has released any security fix for the issue yet.

Google

About five different flaws were found by the Project Zero team’s research, which they submitted to the ARM. Project Zero’s Ian Beer stated in a blog post that “one of these flaws led to kernel memory corruption, one to physical memory addresses being leaked to userspace, and the remaining three lead to a physical page use-after-free condition.” These would give an attacker the ability to read and write physical pages even after the system had received them back.

Three months after ARM corrected these problems, Project Zero discovered that all of the team’s test devices were still prone to the defects. As of Tuesday, no “downstream security bulletins” from Android makers had acknowledged the problems. Beer pointed out that if a hacker could get around Android’s permissions policy and have “wide access” to a user’s data, it would be easy for them to take control of the entire system. By causing the kernel to use the aforementioned physical pages as page tables, the attacker might do this.

A Google representative informed Engadget that the “fix released by ARM is presently undergoing testing for Android and Pixel devices and will be delivered in the next weeks.” To meet future SPL requirements, “Android OEM partners will be obliged to take the patch.” Anyway, it is worth mentioning that the devices powered by Qualcomm Snapdragon chipset are unaffected from this vulnerability.

Related

RELATED ARTICLESMORE FROM AUTHOR