shutterstock 1320843212

Google warns: A ‘patch hole’ in Android makes these smartphones vulnerable to attack

Someone using an Android phone.

Photo: MS_studio/Shutterstock

Many Android smartphones are vulnerable to several high-severe security issues reported by Google Project Zero over the summer but still unpatched, despite Arm releasing fixes for them.

Android phones with Arm Mali GPUs are affected by the unpatched flaw. As GPZ researcher Ian Beer points out, even Google’s Pixel phones are vulnerable, as are phones from Samsung, Xiaomi, Oppo, and others.

Beer urges all Android smartphone vendors to do exactly what consumers have been told all along, and fix their devices ASAP. Currently, smartphone users themselves cannot apply a patch for the Arm Mali GPU driver, even though Arm released fixes for them months ago, because no Android smartphone vendor has applied the fixes to their Android versions.

As Beer pointed out in a blog post, fellow GPZ researcher Jan Horn found five exploitable vulnerabilities in the Mali GPU driver that GPZ tracks as versions 2325, 2327, 2331, 2333, and 2334. These vulnerabilities were reported to Arm in June and July 2022.

also: Best 5G phones: which flagship comes out on top?

Arm fixed them in July and August and gave them the vulnerability ID CVE-2022-36449, disclosed them on the Arm Mali Driver Vulnerabilities page, and posted the patched driver source on their public developer site. Another Mali GPU Arm Fixed bug is tracked as CVE-2022-33917. Beers points to both errors in his report on a “patch gap” by Android phone vendors.

So, for months, vendors have had the information available to patch them, but in a recent check by GPZ, none of the major Android brands have released a fix for them.

In line with its own policies, GPZ has also lifted the ban on public access to its five reports, which means anyone who wants can now get most of the information they need to create exploits for the bug, which affects most modern Android phones.

Fortunately, the Google Pixel team and the Android team seem to be working on the issue. Starting this week, the Android team is talking to Android smartphone manufacturers (OEMs) and will require them to patch the vulnerabilities in order to comply with the Android OEM Security Patch Level (SPL) policy. But the Pixel team won’t have patches for a few weeks. Android OEMs will eventually follow suit.

“Update from Android and Pixel,” GPZ researcher Tim Willis wrote Tuesday in all five bug reports.

Williams wrote, quoting an insider at the Android and Pixel teams.

For beer, it’s a reminder that sellers need to do what consumers are told to do.

“Just as users are advised to patch as soon as possible as soon as a version containing security updates becomes available, the same is true for vendors and companies,” Beer wrote.

Arguably, “reducing the patch gap” as a resource in these scenarios is even more important, as end users (or ultimately other vendors) block this action before they can get the security benefits of the patch.

“Companies need to remain vigilant, follow primary sources closely, and do their best to provide full patches to users as soon as possible.”