Android phones under attack by zero-day flaws — protect yourself now

Android 12 release date, beta and features
(Image credit: Photo Illustration by Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images)

The May 2021 Android security update fixes four zero-day flaws in Qualcomm and ARM chips that are actively being exploited by unnamed hackers, Google quietly disclosed yesterday (May 19) in an update to May 3's Android Security Bulletin.

"There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation," Google said in a one-sentence highlighted note. 

The "CVE" numbers are how computer-security pros refer to known vulnerabilities. According to Google Project Zero researcher Maddie Stone, who tweeted out the bulletin update, two of the flaws involve Qualcomm graphics processors, while the other two affect ARM Mali GPUs. At least two of the flaws permit full system takeover.

"Limited, targeted exploitation" seems to imply that these flaws are being used in attacks by state-sponsored hackers (i.e., international cyberspies) against specific persons or organizations. 

We've seen many limited, targeted attacks on both Android and iOS flaws by Chinese security services against Tibetan and Uyghur dissidents, for example, but there's no indication who the participants might be here.

Update your Android phone, and make sure it's still getting updates

To protect yourself against such exploits, make sure to install the May Android security patches as soon as your device gets them. Google's own Pixel devices should be able to install them already, and it's likely that recent flagship phones from Samsung and OnePlus will have them now or soon. 

Other phones may have to wait a long time, or forever, to get the May Android update. That's why you should be fussy about the Android phone you use, especially if you're someone cyberspies might target: a defense contractor, information-security professional, political activist, journalist, diplomat, corporate executive, politician or active-duty service member.

If your Android device isn't getting Google's Android security updates within 60 days of their release, or is not longer getting the updates at all, then it's time for a new phone.

Snapdragon chips affected, and root at risk

Qualcomm's own May 2021 security bulletin gives CVE-2021-1905 a "high" security threat rating and says the issue has to do with "use after free." That implies the flaw leaves a certain amount of running memory unprotected, making it possible for malware to get a hook into running processes. It affects roughly 300 Qualcomm chipsets, including many of the Snapdragon chips that power flagship phones.

CVE-2021-1906 is less severe, with a "medium" threat rating. It's classified as a "detection of error condition without action in graphics," due to "improper handling of address deregistration on failure [which] can lead to new GPU address allocation failure." 

We're not quite sure what that means, but we'd guess it has to do with a process failing "open" and letting potential attackers get their hooks in. It affects about 350 Qualcomm chipsets, many of them the same as the other flaw.

ARM addressed the flaws back in March, describing CVE-2021-28663 as permitting "a non-privileged user" -- i.e., anyone or anything -- to exploit a "use-after-free scenario" in graphics memory to "gain root privilege, and/or disclose information." 

ARM didn't give this one a severity rating, but gaining root -- seizing full control of the system -- is pretty high up there.

CVE-2021-28664 also lets an attacker gain root, as well as "corrupt memory and modify the memory of other processes." This is done by getting "write access to read-only memory," which is pretty interesting.

These flaws affect ARM's Midgard, Bifrost and Valhall (no A) GPU kernel drivers, which makes us wonder where Asgard might be. 

At the time of ARM's security bulletin in March, the Bifrost and Valhall drivers had been patched, and Midgard's was on the way. Presumably, that patch is part of May's Android updates as well.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.