Vulnerability not yet fixed leaves millions of Android phones at risk
ARM supposedly fixed the vulnerability but it has yet to be patched at the moment
Project Zero notes that it told ARM about the vulnerabilities and ARM “promptly” fixed the issues in July and August of this year. ARM assigned the CVE-2022-33917 number to the flaw. But Google later found “that all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins.” In other words, devices made by Google’s own Pixel team, Samsung, Oppo, and Xiaomi were never patched and still have this exploitable vulnerability.
Google’s Project Zero team informed ARM of the vulnerability
Keep in mind that the phones at risk sport a Mali GPU which eliminates devices powered by a Snapdragon chipset. However, handsets using Google Tensor, Exynos, or MediaTek chips need to be patched. The good news is that Google is testing a patch which is expected to be pushed out “in the coming weeks.” Phone manufacturers building Android devices will be required to include it as well.
Google’s statement reads, “The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements.”
Google tells vendors that they must close these flaws immediately
The search giant added that “Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”
Google has not said that the vulnerability has been exploited by any attackers but for the time being it remains a flaw that can be used to steal the personal data on certain Android phones. When the update does arrive-and Google has said that it will be coming soon-if you have an Android phone at risk, install the update immediately. You can quickly determine if you device is vulnerable by looking at the specs for your phone on PhoneArena and checking to see the manufacturer of the GPU on the device.