Google’s Project Zero team found a security flaw, and although it was flagged, companies, including Google, have not yet issued a security patch. ARM has already resolved the issues on its end back in July and August.
New Security Flaw Found in Phones that Use the Mali GPUs
According to the story by Engadget, Google has already disclosed multiple security flaws for phones that use Mali GPUs like the Exynos SoCs. The problems were flagged to ARM by the company’s Project Zero team.
Although flagged, Google itself, along with some other companies, did not flag the issue. ARM already fixed the issues on its end back in July and August, while Samsung, Xiaomi, Oppo, and Google have yet to release a security update as per Project Zero.
Person from Project Zero Explained the Issues and What It Could Lead to
In a blog post, Ian Beer of Project Zero shared that one of the issues ultimately led to kernel memory corruption. One led to the disclosure of the physical memory address to userspace, while the remaining three “led to physical page use-after-free condition.”
Beer noted that the issues would allow the hacker to gain full access to the system. Should the hackers gain full access, they can bypass the permission model on Android.
Hackers can Gain Broad Access to Users’ Data if They Can Bypass the Permission Model
When hackers bypass the permission model, they can gain broad access to widespread users’ data. The attacker can accomplish this by forcing the kernel to refuse the “aforementioned physical pages as page tables.”
So far, researchers have been able to identify five new issues back in June and July. So far, the researchers have already flagged them to ARM, which was met with quick action.
The Publication Tried to Contact Google, Oppo, Samsung, and Xiaomi Regarding the Delay
Project Zero was also able to find that three months after ARM decided to fix the issues, all of the test devices of the team were still vulnerable to the flaw. It was also noted that the issues were not mentioned: “in any downstream security bulletins” coming from manufacturers of Android devices.
The article notes that they have tried to contact Google, Oppo, Samsung, and Xiaomi about why it takes them so long to deploy the security fixes. They also asked when the security fixes might launch for Android devices.
So Far, the Samsung Galaxy S22 Series Remain Unfazed by the Issue
Regarding Samsung, a particular series of devices is reportedly not vulnerable to this issue. This is because they use a different chip.
An article by Sam Mobile notes that the Samsung Galaxy S22 series devices and the company’s Snapdragon-powered handsets are not affected by the vulnerability. This is because the devices use a different type of chip that is not vulnerable to the issue.
Written by Urian B.