Unknown hackers are exploiting four Android vulnerabilities that could allow the execution of malicious code that could take complete control of devices, Google warned Wednesday.
All four vulnerabilities were revealed two weeks ago in Google’s Android security bulletin for May. Google has released security updates to device manufacturers, who are then responsible for distributing the patches to users.
Google’s May 3 bulletin initially failed to report that any of the roughly 50 vulnerabilities it covered had been actively exploited. On Wednesday, Google updated its advisory to say there are “indications” that four of the vulnerabilities “may be limited and targeted.” Maddie Stone, a member of Google’s Project Zero exploit research group, removed the ambiguity. They stated on Twitter that the “4 vulnerabilities were exploited in the wild” as zero-days.
Android updated May’s security with notes that 4 vulnerabilities were exploited in the wild.
Qualcomm GPU: CVE-2021-1905, CVE-2021-1906
ARM Mali GPU: CVE-2021-28663, CVE-2021-28664https://t.co/mT8vE2Us74— Maddie Stone (@maddiestone) May 19, 2021
Full control
Successful exploits of the vulnerabilities “would give full control over the victim’s mobile endpoint,” Asaf Peleg, vice president of strategic projects for security firm Zimperium, said in an email. “From increasing privileges beyond what is available by default to running code outside of the existing sandbox of the current process, the device would be completely compromised and no data would be safe.”
So far, four zero-day vulnerabilities in Android have been disclosed this year, compared to one for all of 2020, according to Zimperium figures.
Two of the vulnerabilities are in Qualcomm’s Snapdragon CPU, which powers most Android devices in the US and a huge number of handsets abroad. CVE-2021-1905, the first vulnerability to be identified, is a memory corruption flaw that allows attackers to execute malicious code with unlimited root privileges. The vulnerability is classified as severe, with a score of 7.8 out of 10.
The other vulnerability, CVE-2021-1906, is a logic error that can cause errors when assigning new GPU memory addresses. The severity level is 5.5. Often, hackers link two or more exploits together to circumvent security measures. That’s probably the case with the two Snapdragon flaws.
The other two vulnerabilities under attack reside in drivers that work with ARM graphics processors. Both CVE-2021-28663 and CVE-2021-28664 are also memory corruption flaws that allow attackers to gain root access to vulnerable devices.
No actionable advice from Google
There are no other details about the in-the-wild attacks. Google representatives did not respond to emails asking how users can tell if they are being targeted.
The skill required to exploit the vulnerabilities has led some researchers to speculate that the attacks are likely the work of state-backed hackers.
“The complexity of this mobile attack vector is not unheard of, but beyond the capabilities of an attacker with rudimentary or even intermediate knowledge of hacking mobile endpoints,” Peleg said. “Any attacker using this vulnerability is most likely doing so as part of a larger campaign against an individual, company, or government to steal critical and private information.”
It’s not clear exactly how anyone would exploit the vulnerabilities. The attacker can send malicious text messages or trick targets into installing a malicious app or visiting a malicious website.
Without more useful information from Google, it’s impossible to give Android users any useful advice other than making sure all updates are installed. Those using Google’s Android devices will automatically receive patches with the May security rollout. Users of other devices should contact the manufacturer.