Android security flaws not patched by Google, Samsung

Google has warned that five Android smartphone security flaws have not been patched months after they were brought to the attention of phone makers.

In a blog post(Opens in a new window)Google’s Project Zero said the flaws it reported earlier in June and July had not been fixed, putting users of smartphones from Samsung, Xiaomi, Oppo and Google itself at risk of being hacked.

The issues reported earlier this year were related to semiconductor designer ARM’s “Mali” graphics card processor, or GPU. The GPU is found in phones like the Pixel 6.

According to a report in Tech Circle, ARM fixed the issues in August, phone brands like Samsung and Google haven’t fixed any yet(Opens in a new window) of the vulnerabilities.

Ian Beer, a researcher at Project Zero, said the security flaws could lead to “kernel memory corruption”, as well as “physical memory addresses being exposed to unauthorized user space”. This essentially means that an attacker could exploit the security flaws to gain full access to a user’s device and “broad” access to a user’s data.

Beer notes that an attacker could gain access by forcing the memory kernel to read and write physical pages after returning them to the system.

According to Project Zero, none of the affected phone makers have mentioned the issues in “downstream security bulletins” or publicly stated if or how they would fix it, except for Google.

A Google spokesperson told Engadget: “The fix provided by ARM is currently being tested for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will need to use the patch to comply with future SPL requirements. requirements.”

It seems that security vulnerabilities noticed by industry researchers are mostly variants of current security flaws. Earlier this year, Project Zero released a report that found that half of the actively exploited zero-day vulnerabilities discovered in the first half of the year were variants of existing security flaws.