- Android’s latest security patch has fixed four bugs that are under active exploitation.
- Google’s researchers don’t know many details about the actors or their targets yet.
- The vast majority of Android devices out there are vulnerable to these bugs and many more.
Google has updated the Android May security notice to reflect the fact that four bugs in it have been determined to be under active exploitation in the wild. This means that those who haven’t or can’t apply the May patch on their Android devices will have to live with the fact that their smartphones are vulnerable to malicious attacks. This is not a theoretical possibility or a hypothetical scenario, but the reality is reflected in Google’s Project Zero team list of zero-days.
The bugs are the following:
- CVE-2021-1905 (CVSS score: 8.4) - A use-after-free flaw in Qualcomm's graphics component relying on the improper handling of memory mapping of multiple processes simultaneously.
- CVE-2021-1906 (CVSS score: 6.2) – GPU address allocation failure in Qualcomm components due to improper handling of address de-registration.
- CVE-2021-28663 (no CVSS score assigned) - A vulnerability in Arm Mali GPU kernel driver, allowing privilege escalation or information disclosure due to GPU memory operations mishandling, leading to a use-after-free condition.
- CVE-2021-28664 (no CVSS score assigned) - A vulnerability in Arm Mali GPU kernel driver, allowing privilege escalation or information disclosure through an attack carried out by an unprivileged user.
Because the above flaws affect either Arm Mali or Qualcomm Adreno GPUs, they cannot simultaneously exist on an Android device. As such, if you are running an older Android patch level, you are vulnerable to a couple of them in the worst-case scenario.
As for the details of the exploitation and the targeting of the actors, Google has chosen not to share much with the public. As Shane Huntley explained on Twitter, sometimes researchers need more time to determine these details, so it’s not that they know stuff and hide it on purpose.
Now here lies the problem with Android. The percentage of devices running the latest security patch is dishearteningly low, so most Android devices out there are vulnerable to the aforementioned vulnerabilities. Remember, security updates aren’t bound to the OS version, so someone with Android 10 could still receive the May patch.
Some smartphone vendors continue the support with regular security patches for up to three years. Others deliver them in 3-month or even 6-month batches, and some are delaying the roll-out significantly even if they still deliver them. That said, if you care about your security, pay attention to that detail the next time you are shopping for a smartphone.