The May 2021 Android security update fixes four zero-day flaws in Qualcomm and ARM chips that are actively being exploited by unnamed hackers, Google quietly disclosed yesterday (May 19) in an update to May 3's Android Security Bulletin (opens in new tab).
"There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation," Google said in a one-sentence highlighted note.
- Chrome on Android will let you fix compromised passwords with one click
- The best Android antivirus software
- Plus: Google I/O 2021 recap: Android 12, Wear OS, Project Starline and more
The "CVE" numbers are how computer-security pros refer to known vulnerabilities. According to Google Project Zero researcher Maddie Stone, who tweeted out the bulletin update, two of the flaws involve Qualcomm graphics processors, while the other two affect ARM Mali GPUs. At least two of the flaws permit full system takeover.
Android has updated the May security with notes that 4 vulns were exploited in-the-wild. Qualcomm GPU: CVE-2021-1905, CVE-2021-1906ARM Mali GPU: CVE-2021-28663, CVE-2021-28664https://t.co/mT8vE2Us74May 19, 2021
"Limited, targeted exploitation" seems to imply that these flaws are being used in attacks by state-sponsored hackers (i.e., international cyberspies) against specific persons or organizations.
We've seen many limited, targeted attacks on both Android and iOS flaws by Chinese security services against Tibetan and Uyghur dissidents, for example, but there's no indication who the participants might be here.
Update your Android phone, and make sure it's still getting updates
To protect yourself against such exploits, make sure to install the May Android security patches as soon as your device gets them. Google's own Pixel devices should be able to install them already, and it's likely that recent flagship phones from Samsung and OnePlus will have them now or soon.
Other phones may have to wait a long time, or forever, to get the May Android update. That's why you should be fussy about the Android phone you use, especially if you're someone cyberspies might target: a defense contractor, information-security professional, political activist, journalist, diplomat, corporate executive, politician or active-duty service member.
If your Android device isn't getting Google's Android security updates within 60 days of their release, or is not longer getting the updates at all, then it's time for a new phone.
Snapdragon chips affected, and root at risk
Qualcomm's own May 2021 security bulletin (opens in new tab) gives CVE-2021-1905 a "high" security threat rating and says the issue has to do with "use after free." That implies the flaw leaves a certain amount of running memory unprotected, making it possible for malware to get a hook into running processes. It affects roughly 300 Qualcomm chipsets, including many of the Snapdragon chips that power flagship phones.
CVE-2021-1906 is less severe, with a "medium" threat rating. It's classified as a "detection of error condition without action in graphics," due to "improper handling of address deregistration on failure [which] can lead to new GPU address allocation failure."
We're not quite sure what that means, but we'd guess it has to do with a process failing "open" and letting potential attackers get their hooks in. It affects about 350 Qualcomm chipsets, many of them the same as the other flaw.
ARM addressed the flaws back in March (opens in new tab), describing CVE-2021-28663 as permitting "a non-privileged user" -- i.e., anyone or anything -- to exploit a "use-after-free scenario" in graphics memory to "gain root privilege, and/or disclose information."
ARM didn't give this one a severity rating, but gaining root -- seizing full control of the system -- is pretty high up there.
CVE-2021-28664 also lets an attacker gain root, as well as "corrupt memory and modify the memory of other processes." This is done by getting "write access to read-only memory," which is pretty interesting.
These flaws affect ARM's Midgard, Bifrost and Valhall (no A) GPU kernel drivers, which makes us wonder where Asgard might be.
At the time of ARM's security bulletin in March, the Bifrost and Valhall drivers had been patched, and Midgard's was on the way. Presumably, that patch is part of May's Android updates as well.