Security

Google Says Update to Android May Patch or Live With Actively Exploited Bugs

By Bill Toulas
android malware
  • Android’s latest security patch has fixed four bugs that are under active exploitation.
  • Google’s researchers don’t know many details about the actors or their targets yet.
  • The vast majority of Android devices out there are vulnerable to these bugs and many more.

Google has updated the Android May security notice to reflect the fact that four bugs in it have been determined to be under active exploitation in the wild. This means that those who haven’t or can’t apply the May patch on their Android devices will have to live with the fact that their smartphones are vulnerable to malicious attacks. This is not a theoretical possibility or a hypothetical scenario, but the reality is reflected in Google’s Project Zero team list of zero-days.

The bugs are the following:

  • CVE-2021-1905 (CVSS score: 8.4) - A use-after-free flaw in Qualcomm's graphics component relying on the improper handling of memory mapping of multiple processes simultaneously.
  • CVE-2021-1906 (CVSS score: 6.2) – GPU address allocation failure in Qualcomm components due to improper handling of address de-registration.
  • CVE-2021-28663 (no CVSS score assigned) - A vulnerability in Arm Mali GPU kernel driver, allowing privilege escalation or information disclosure due to GPU memory operations mishandling, leading to a use-after-free condition.
  • CVE-2021-28664 (no CVSS score assigned) - A vulnerability in Arm Mali GPU kernel driver, allowing privilege escalation or information disclosure through an attack carried out by an unprivileged user.

Because the above flaws affect either Arm Mali or Qualcomm Adreno GPUs, they cannot simultaneously exist on an Android device. As such, if you are running an older Android patch level, you are vulnerable to a couple of them in the worst-case scenario.

As for the details of the exploitation and the targeting of the actors, Google has chosen not to share much with the public. As Shane Huntley explained on Twitter, sometimes researchers need more time to determine these details, so it’s not that they know stuff and hide it on purpose.

Now here lies the problem with Android. The percentage of devices running the latest security patch is dishearteningly low, so most Android devices out there are vulnerable to the aforementioned vulnerabilities. Remember, security updates aren’t bound to the OS version, so someone with Android 10 could still receive the May patch.

Some smartphone vendors continue the support with regular security patches for up to three years. Others deliver them in 3-month or even 6-month batches, and some are delaying the roll-out significantly even if they still deliver them. That said, if you care about your security, pay attention to that detail the next time you are shopping for a smartphone.

More on Security

Add a Comment

Latest
Streaming
How to Watch America’s Funniest Home Videos Season 34 Online from Anywhere
TechNadu Staff - 0
What could be the best way to make money, spread laughter, and have a blast simultaneously? The answer: America's Funniest Home Videos....
Read more
Streaming
How to Watch Family Guy Season 22 Online Free from Anywhere
TechNadu Staff - 0
Family Guy Season 22 continues to follow the funny day-to-day activities of the Griffins, particularly Peter’s. The new season is set to...
Read more
Streaming
How to Watch Bob’s Burgers Season 14 Online from Anywhere
TechNadu Staff - 0
Bob's Burgers has been entertaining us with its unique charm and warmth for over 10 years. The Belcher family—Bob, Linda, and their...
Read more

© TechNadu 2023. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari