Google Project Zero – the Alphabet division that focuses on finding undisclosed vulnerabilities – says Android smartphones with the Mali GPU remain at risk from an unpatched vulnerability. This includes Samsung and its Exynos SoCs, as well as devices from Oppo, Xiaomi, and even Google itself.
The problem stems from five issues found in the Mali GPU. Google Project Zero disclosed these flaws to ARM, the manufacturer of the GPU. ARM responded by delivering patches in July and August to fix the vulnerabilities.
However, smartphone manufacturers have still not deployed those patches within their own software updates.
In June and July, researchers with Google Project Zero found several issues in Mali GPUs: “One of these issues led to kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition,” Project Zero's Ian Beer wrote in a blog post. “These would enable an attacker to continue to read and write physical pages after they had been returned to the system.”
In an update, Google says that three months have passed and all the vendor devices it tested still had the flaw. They adds that none of the issues is mentioned “in any downstream security bulletins” from affected OEMs.
This is a familiar problem with the Android ecosystem. OEMs receive updates and are then free to do what they want with them, including not implementing them. That is why the history of Android is littered with smartphones that have been abandoned and unsupported sometimes within two years of launching.
Tip of the day: Need to reduce picture size of several images, but don't have the time to edit every one? Microsoft's PowerToys image resizer can batch-resize your photos with just two clicks.