On Wednesday, Google quietly slipped updates into its May 3 Android security bulletin for bugs that its Project Zero group has confirmed are zero-days.
Google updated its May 3 Android security bulletin on Wednesday to say that there are “indications” that four of the 50 vulnerabilities “may be under limited, targeted exploitation.” That was mostly confirmed by Maddie Stone, a member of Google’s Project Zero exploit research group, who clarified on Twitter that the “4 vulns were exploited in-the-wild” as zero-days.
Android has updated the May security with notes that 4 vulns were exploited in-the-wild.
Qualcomm GPU: CVE-2021-1905, CVE-2021-1906
ARM Mali GPU: CVE-2021-28663, CVE-2021-28664https://t.co/mT8vE2Us74
— Maddie Stone (@maddiestone) May 19, 2021
Google Android exploits are a rarity. These four bugs make up a full two-thirds of the six total bugs to be exploited in the wild since 2014, according to Google’s tracking spreadsheet. Project Zero’s Stone went on to celebrate that fact, pointing out that “For 2021, we’ve surpassed the number of 0-days detected in-the-wild in all of 2020. That’s great!”
According to security firm Zimperium, Google disclosed only one zero-day vulnerability in Android in 2020.
Could Give Attackers ‘Complete Control’ of Androids
Is finding four zero-days really all that great? These four bugs could give attackers complete control of Android devices. All four affect GPU firmware code. Two of the bugs impact the ARM Mali GPU driver, while the other two are found in the Qualcomm Snapdragon CPU graphics component.
|CVE-2021-1905||Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.|
|CVE-2021-1906||Improper handling of address deregistration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.|
|CVE-2021-28663||The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.|
|CVE-2021-28664||The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r8p0 through r30p0.|
Asaf Peleg, vice president of strategic projects for Zimperium, told Ars Technica that successful exploits of the vulnerabilities “would give complete control of the victim’s mobile endpoint. From elevating privileges beyond what is available by default to executing code outside of the current process’s existing sandbox, the device would be fully compromised, and no data would be safe.”
This is the second time this month that Qualcomm has suffered chip woes. As Check Point Research reported in early May, a vulnerability in a 5G modem data service could allow a malicious app to exploit the issue, opening up Android phones to attackers being able to eavesdrop, inject, malicious code into a phone’s modem, access call histories and text messages: a problem that could affect up to 30 percent of Android phones.
One Exploit May Be Tied to Spyware Maker NSO Group
As The Record reported, two of the zero-days have previously been exploited in the wild: CVE-2020-11261, a bug in the Qualcomm graphics component that was patched in the January 2021 Android security bulletin, and CVE-2019-2215, an Android exploit that Project Zero believes was developed by exploit broker NSO Group and was allegedly being used, abused and sold to its customers throughout 2019.
NSO Group, an Israeli maker of the Pegasus mobile spyware tool, has long insisted that its products are meant to be used to fight crime and terror. Whatever governments do with it, NSO Group isn’t in on it, the company has said. That contention was dissected in court in July 2020, during Facebook’s lawsuit over alleged spying on WhatsApp users.
At the time, Judge Phyllis Hamilton said that it appears that NSO Group “retained some role” in how its wares are used. She also pointed to a statement to the court from CEO Shalev Hulio, which says that NSO Group carries out its activities “entirely at the direction of their government customers,” and that it provides “advice and technical support” for its notorious Pegasus, which is a remote access trojan (RAT). The tool enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.
As far as whether NSO Group is behind these Android zero-day exploits, the sophistication required to exploit these vulnerabilities would be in line with its history. “The complexity of this mobile attack vector is not unheard of but is outside the capabilities of an attacker with rudimentary or even intermediate knowledge of mobile endpoint hacking,” Peleg said. “Any attacker using this vulnerability is most likely doing so as part of a larger campaign against an individual, enterprise, or government with the goal of stealing critical and private information.”
How Should Android Fans Protect Themselves?
Only Android phones that use Arm or Qualcomm GPUs are affected by these bugs. According to recent Arm and Qualcomm security bulletins each of their respected chipsets are impacted. Sources told The Record that this month’s security updates may have been delayed by some smartphone vendors to make sure they shipped the Arm and Qualcomm fixes released on Wednesday.
Threatpost has reached out to Google, NVIDIA ARM and Qualcomm for input on how Android users should proceed.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!