Google says Google and other Android manufacturers haven't patched security flaws

Millions of phones with Mali GPUs are at risk from exploits months after ARM issued a fix, Project Zero suggests.

Dado Ruvic / reuters

Google has disclosed several security flaws for phones that have Mali GPUs, such as those with Exynos SoCs. The company's Project Zero team says it flagged the problems to ARM (which designs the GPUs) back in the summer. ARM resolved the issues on its end in July and August. However, smartphone manufacturers including Samsung, Xiaomi, Oppo and Google itself hadn't deployed patches to fix the vulnerabilities as of earlier this week, Project Zero said.

Researchers identified five new issues in June and July and promptly flagged them to ARM. "One of these issues led to kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition," Project Zero's Ian Beer wrote in a blog post. "These would enable an attacker to continue to read and write physical pages after they had been returned to the system."

Beer noted that it would be possible for a hacker to gain full access to a system as they'd be able to bypass the permissions model on Android and gain "broad access" to a user's data. The attacker could do so by forcing the kernel to reuse the afore-mentioned physical pages as page tables.

Project Zero found that, three months after ARM fixed these issues, all of the team's test devices were still vulnerable to the flaws. As of Tuesday, the issues were not mentioned "in any downstream security bulletins" from Android manufacturers.

"The fix provided by ARM is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks," a Google spokesperson told Engadget. "Android OEM partners will be required to take the patch to comply with future SPL requirements."

Engadget has contacted Samsung, Oppo and Xiaomi to ask when they will deploy the fixes to their Android devices and why it has taken so long for them to do so. As SamMobile notes, Samsung's Galaxy S22 series devices and the company's Snapdragon-powered handsets aren't affected by these vulnerabilities.

Update 11/25 2:20PM ET: Added Google's statement.