Android Security Flaws Not Patched by Google, Samsung
Google has warned that five security flaws affecting Android smartphones remain unpatched months after being brought to the attention of phone manufacturers.
In a blog post, Google’s Project Zero said that the flaws it previously reported in June and July had not been resolved, leaving the users of smartphones belonging to Samsung, Xiaomi, Oppo, and Google itself at risk of hacking.
The issues reported earlier in the year were linked to semiconductor designer ARM’s ‘Mali’ graphic card processor, or GPU. The GPU can be found in phones such as the Pixel 6.
According to a report in Tech Circle, ARM fixed the issues by August, phone brands including Samsung and Google have not yet fixed any of the vulnerabilities.
Ian Beer, a researcher at Project Zero said the security flaws could lead to “kernel memory corruption”, as well as “physical memory addresses being disclosed to unprivileged userspace”. This effectively means an attacker could exploit the security flaws to gain full access to a user’s device and “broad” access to a user’s data.
Beer notes that an attacker could gain access by forcing the memory kernel to read and write physical pages after they had been returned to the system.
According to Project Zero, none of the affected phone manufacturers have mentioned the issues in any “downstream security bulletins” and have not publicly addressed if and how they would resolve it, except for Google.
Speaking to Engadget, a Google spokesperson said: “The fix provided by ARM is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements.”
It seems that security vulnerabilities being noted by industry researchers are mostly variants of current security flaws. Earlier this year, Project Zero released a report that found half of actively exploited zero-day vulnerabilities discovered in the first half of the year have been variants of existing security flaws.