Google Project Zero Finds Unpublished Security Flaws in Android Phones by Top Makers

A report released by Google Project Zero on Friday claimed that several Android devices — including Pixel, Samsung, Xiaomi, Oppo, and others — still carry Mali GPU-related security flaws that the team had flagged back in June and July.

These weaknesses are said to allow an attacker with native code execution to acquire complete access to a smartphone by bypassing the permission model in Android OS. Notably, ARM — the manufacturer of Mali GPUs — had fixed these security issues in July and August earlier this year.

The report by Google Project Zero had distinguished a Mali GPU driver with vulnerabilities that could allow a non-privileged user to read-only memory pages. On further investigation, it reportedly included five more security issues. One of these flaws may lead to kernel memory corruption and another is said to disclose physical memory addresses to userspace.

The remaining three security defects could reportedly lead to a “physical page use-after-free condition.” As referenced earlier, these flaws can allow a hacker to bypass Android permissions to acquire broad access to user data. The Project Zero team found these security flaws earlier this year and in June and July.

ARM promptly fixed them in July and August. However, the Project Zero team discovered that smartphone sellers had not released updates to fix these issues in the respective gadgets. This means that smartphones from merchants like Google, Xiaomi, and Oppo that feature Mali GPUs are still vulnerable to potential attackers.

Moreover, A SamMobile report mentions that millions of Samsung smartphones that are powered by Exynos SoCs matched with a Mali GPU are currently vulnerable to this security exploit. In any case, Samsung devices with Snapdragon chipsets are unaffected by these security blemishes. Notably, the Galaxy S22 series with Exynos SoCs is also exempt from these issues as it carries Xclipse 920 GPUs.

Google Project Zero is a team of security analysts tasked to uncover zero-day vulnerabilities.

By Archana

Leave a Reply

Your email address will not be published. Required fields are marked *