Google have disclosed that four Android vulnerabilities, discovered in May, are under active exploitation. With Android phones being heavily used within companies across the UK (including London), it is crucial that users and businesses are informed of this.
Introduction/what is Android?
Following Google’s monthly Android security bulletin, it was revealed that four out of 50 vulnerabilities ‘may be under limited, targeted exploitation’.
Android is an operating system (like Windows or MacOS) intended for mobile devices such as phones and tablets. It is mostly developed by Google and it is a free and open-source piece of software – which means it can be rejigged and manipulated to suit a person or company’s needs.
Google Android and Apple iOS dominate the market share for mobile operating systems, so you will not find many users that have a mobile phone that runs on another OS. Globally, Android sales trump that of iOS, so it is essential that if there are any security related issues that these are communicated and dealt with as quickly as possible – particularly if they are used within your company.
What are the vulnerabilities?
The vulnerabilities comprise specifically of the following CVE’s (Common Vulnerabilities and Exposures):
- Qualcomm GPU: CVE-2021-1905, CVE-2021-1906
- ARM Mali GPU: CVE-2021-28663, CVE-2021-28664
Both Qualcomm and ARM are Graphical Processing Units you will find built into mobile devices, and the CVE’s are essentially security loopholes within these components that can be exposed by potential hackers.
In this case, the Qualcomm bugs include improper error handling and a use-after-free flaw, whereas the ARM bugs allow an attacker to write to read-only memory in the Mail GPU and a use-after-free flaw.
Why are Google coming under some flack?
Initially, Google’s disclosure of these vulnerabilities came under fire as it was very vague and almost downplayed the severity of the problem. Maddie Stone, a member of Google Project Zero exploit research group, clarified further via Twitter by announcing ‘4 vulns were exploited in-the-wild’ – which means that the vulnerabilities were discovered after the Android update was released to the public.
Vice President of strategic projects for security company Zimperium, Asaf Peleg, did not downplay the vulnerabilities discovered. He made quite clear that if the loopholes were exploited, the attacker could gain complete control of the user’s mobile device and claimed, ‘no data would be safe’.
To be clear, not all Android devices are affected by this, but any device that uses the Qualcomm or ARM GPU’s will need to be aware of this. Devices affected include Samsung Galaxy, Google Pixel and HTC phones.
What should you do as a business?
Unfortunately, Google have not given any specific advice on how best to avoid the issue. However, there are a few generic things you as a company can and should do if you have an Android phone:
- Make sure your Android phone has all available updates installed
- If possible, avoid upgrading or purchasing an Android phone until the issue has been addressed. Some vendors are currently delaying shipments until a patch has been released and applied to Android devices
- If you notice any suspicious activity on your phone (such as inappropriate pop-ups, text or calls not made by you, apps or data usage you don’t recognise) you should immediately run anti-malware software and worst case reset your phone to factory settings
In summary, there isn’t a huge amount you can do in this case. When security issues are discovered in operating systems, you can sometimes disable a particular feature or setting to avoid being exposed, however, because this particular issue is so deep rooted, it is related to the hardware and there is no setting a user can change, it is up to the vendor (in this case, Google) to work on an update/patch to the problem as soon as possible. Until then, you just have to follow the above guidance and update your phone as soon as one becomes available.
Hopefully this article will help inform you more on the issue discovered – but if you require further advice, please go to our contact us page.