Android Security Flaws Not Patched by Google, Samsung - PCMag

Google has warned that 5 information flaws affecting Android smartphones stay unpatched months aft being brought to the attraction of telephone manufacturers. 

In a blog post(Opens successful a caller window), Google’s Project Zero said that the flaws it antecedently reported successful June and July had not been resolved, leaving the users of smartphones belonging to Samsung, Xiaomi, Oppo, and Google itself astatine hazard of hacking.

The issues reported earlier successful the twelvemonth were linked to semiconductor decorator ARM’s ‘Mali’ graphic paper processor, oregon GPU. The GPU tin beryllium recovered successful phones specified arsenic the Pixel 6. 

According to a study successful Tech Circle, ARM fixed the issues by August, telephone brands including Samsung and Google person not yet fixed any(Opens successful a caller window) of the vulnerabilities. 

Ian Beer, a researcher astatine Project Zero said the information flaws could pb to “kernel representation corruption”,  arsenic good arsenic “physical representation addresses being disclosed to unprivileged userspace”. This efficaciously means an attacker could exploit the information flaws to summation afloat entree to a user’s instrumentality and “broad” entree to a user’s data.

Beer notes that an attacker could summation entree by forcing the representation kernel to work and constitute carnal pages aft they had been returned to the system.

According to Project Zero, nary of the affected telephone manufacturers person mentioned the issues successful immoderate “downstream information bulletins” and person not publically addressed if and however they would resoluteness it, but for Google.

Speaking to Engadget, a Google spokesperson said: "The hole provided by ARM is presently undergoing investigating for Android and Pixel devices and volition beryllium delivered successful the coming weeks. Android OEM partners volition beryllium required to instrumentality the spot to comply with aboriginal SPL requirements."

It seems that information vulnerabilities being noted by manufacture researchers are mostly variants of existent information flaws. Earlier this year, Project Zero released a study that found fractional of actively exploited zero-day vulnerabilities discovered successful the archetypal fractional of the twelvemonth person been variants of existing information flaws.