Many Android smartphones are vulnerable to multiple high-severity security issues that Google Project Zero reported over summer but remain unpatched, despite Arm releasing fixes for them.
Android phones equipped with Arm Mali GPUs are affected by the unpatched flaws. As GPZ researcher Ian Beer points out, even Google’s Pixel phones are vulnerable, as are phones from Samsung, Xiaomi, Oppo, and others.
Beer is urging all major Android smartphone vendors to do exactly what consumers get told all the time, and patch their devices as soon as possible. Right now, smartphone users themselves can’t apply a patch for an Arm Mali GPU driver, despite Arm releasing fixes for them months ago, because no Android smartphone vendor has applied the fixes to their Android builds.
As Beer notes in a blogpost, fellow GPZ researcher Jann Horn found five exploitable vulnerabilities in the Mali GPU driver that are tracked by GPZ as issues 2325, 2327, 2331, 2333, 2334. These were reported to Arm in June and July 2022.
Arm fixed them in July and August and assigned them the vulnerability identifier CVE-2022-36449, disclosed them on the Arm Mali Driver Vulnerabilities page, and published the patched driver source on their public developer website. Another Mali GPU bug Arm fixed is tracked as CVE-2022-33917. Beers refers to both bugs in his report about the “patch gap” by Android phone vendors.
So, for several months, vendors have had the information available to patch them, but on a recent check by GPZ, none of the major Android handset brands had issued a fix for them.
GPZ, in line with its own policies, has also lifted its block on public access to its five reports, which means anyone who wants to can now have most of the information they need to create exploits for the bugs, which impact most modern Android phones.
Fortunately, it appears Google’s Pixel team and Android team are on the case. As of this week, the Android team is talking with Android smartphone manufacturers (OEMs) and will require them to patch the vulnerabilities in order to comply with the Android OEM security patch level (SPL) policy. But the Pixel team won’t have patches for a few weeks. Other Android OEMs will follow suit eventually.
“Update from Android and Pixel, wrote GPZ researcher, Tim Willis, on Tuesday in all five bug reports.
“The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements,” Williams wrote, quoting someone from the Android and Pixel teams.
For Beer, it’s a reminder that vendors need to do what consumers are told to do.
“Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” wrote Beer.
“Minimizing the “patch gap” as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.
“Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”