Google Admits To Not Fixing Its Security Flaws On Android Devices
Google admitted to not fixing five security flaws occurring on Android devices including one that makes addresses saved in your phone's memory public.
Our Android phones are having reports of security flaws. Google has informed the public that these flaws can be found in phones that have the Mali GPUs, such as those with Exynos SoCs. These security flaws make phones vulnerable to hacking and data breaches.
These flaws are present in Android devices, including but not limited to Pixel, Samsung, Xiaomi, Oppo, and others). Maddie Stone, a Project Zero researcher, first discovered these flaws in over 50% of the tests in various variations.
There are five primary issues that Stone has noted. They have labeled these as: 2334, 2331, 2325, 2327, and 2333. The first issue is that code can cause kernel memory corruption. Kernal memory corruption is the corruption of the physical memory in the operating system. This memory allows access to the RAM, and corruption of this data can make the device no longer usable.
The next vulnerability under code 2331 effect the physical memory addresses to be made public. This translates roughly to the location of your personal data on your devices. This will make it easier for hackers to find and steal your personal information.
This is very serious as hackers can find your information and where it is stored. Whenever we access or input information, it is temporarily stored on our device. The location that this is stored in any app, including our emails and banking apps, will be visible to these attackers.
The last three security issue codes found under Google devices are 2325, 2327, and 2333. These last codes lead to physical page use-after-free conditions. What this means is that it enables hackers to read and write physical pages after they have been returned to the system.
This translates to hackers using these physical pages to force your devices to use these page tables they have made. This allows them access to the native code. This will allow hackers to bypass Android’s permissions on your device and allow broad access to your user data.
These five issues were reported in June and July. ARM, Application Response Measurement, had sent a wide-range update that was supposed to have fixed these issues in August. Project Zero had waited thirty days before retesting these security issues. Around mid-September Stone reported that these five issues still exist, and no fixes seem to be patchy at best.
This creates a series of issues for Andriod as it violates the 2021 security contract for the phones, and it allows for massive data leaks for Android devices. When reaching out to google about when fixes will be made to these security risks. Google has informed us that their Samsung Galaxy S22 series and the company’s Snapdragon-powered handsets aren’t affected.
This does little to make us feel secure as this now adds to about five months of security vulnerability. ARM is a group responsible for many architectures in our devices, and its code is responsible for many of our CPU functions. The report sent to them and the patch they posted did not fix the issues.
The patch updates ARM has been labeled on their developer website under the code CVE-2022-36449. It did not fix the issue; we won’t see any additional updates soon. The errors and breach risks are not mentioned on their downstream security bulletins and notices.