Why it matters: A set of vulnerabilities affecting kernel drivers for Qualcomm and Mali GPUs in millions of Android phones has been exploited in the wild. Google Pixel devices are the only ones patched so far, but the perennial problem of delayed updates for other Android devices remains.
Earlier this month, users were notified of a critical security flaw present in Qualcomm chips powering hundreds of millions of Android devices, as uncovered by security firm Check Point. This week, Google updated the Android Security Bulletin for May to reflect the fact that four of those vulnerabilities disclosed on May 1 have been exploited in the wild.
The initial report listed no less than 42 vulnerabilities that were patched in the May 2021 security update, but at the time the company had no knowledge that any was being actively exploited. New data indicated that four of them may be under “limited, targeted exploitation,” which at first seemed a little vague.
Google Project Zero researcher Maddie Stone sought to clarify that these are indeed 0-day flaws from a growing list that’s been observed since the beginning of this year.
Android has updated the May security with notes that 4 vulns were exploited in-the-wild.
Qualcomm GPU: CVE-2021-1905, CVE-2021-1906
ARM Mali GPU: CVE-2021-28663, CVE-2021-28664https://t.co/mT8vE2Us74
— Maddie Stone (@maddiestone) May 19, 2021
Two of the flaws affect Qualcomm GPUs in hundreds of chipsets, including the latest 5G-enabled ones like the Snapdragon 768G and Snapdragon 888.
The other two vulnerabilities affect the kernel driver for Arm Mali GPUs (used in millions of Android devices) and its importance cannot be understated, as they allow an attacker to take complete control over your phone.
Asaf Peleg, vice president of security firm Zimperium, told Ars Technica that “from elevating privileges beyond what is available by default to executing code outside of the current process’s existing sandbox, the device would be fully compromised, and no data would be safe.”
Google Pixel users should be able to install a patch already to mitigate the risks, but everybody else will have to wait until Samsung, Motorola, Nokia, LG (who retired its phone division), OnePlus, and other Android device manufacturers release an update for your phone. Peleg speculates these four security flaws would only be exploited by state-sponsored actors looking to extract the private information of high-profile individuals or organizations.
In related news, researchers found 23 Android apps exposed the sensitive data of over 100 million users. The more worrying aspect of this particular breach is that it wasn’t a result of flaws in the Android operating system, but poor implementations of the apps themselves and how they handle your data.