Google recently disclosed a couple of security flaws present on phones with Mali GPUs.
The folks on Google’s Project Zero said that they already raised the concern to ARM, the makers of the said mobile GPUs, back in the Summer.
- How to earn money by reporting security bugs and vulnerabilities to Google
- Guide: Running a virus scan on your Android device
ARM has already fixed the problems on its end sometime in July and August. Albeit, Android OEMs such as Xiaomi, OPPO, Samsung, and Google themselves are yet to roll out the patches to their respective devices.
One of the said problems led to “kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition,” Ian Beer of Project Zero said in a blog post.
As a result, an attacker can “continue to read and write physical pages even after they had been returned to the system.”
What’s more, Beer said that there’s a possibility for a hacker to have full access to a system since they have the ability to bypass the permissions model on Android, which may result to have large access to the user’s private data.
The attacker can also cause similar damage by forcing the kernel to reuse the said physical pages as page tables.
Project Zero discovered that even after the ARM fix has already been issued for three months, their test devices are still vulnerable to the issue. None of the Android manufacturers also mentioned the problem “in any downstream security bulletins.”