Google ‘s Project Zero division determined that the Pixel phone division has not fixed vulnerabilities in Android .
Android is often a headache for Google for various reasons, and security is one of them. Efforts to streamline patch updates have paid off for years, but there are still jams on the beats. However, it is curious that Google has found fault with the correction of errors within an iconic brand: the Pixel itself.
According to the latest Project Zero post , the Pixel development team has not resolved a conflict in ARM GPU drivers, a loophole that allows an attacker to have write rights to Google phones and other signatures.
“An attacker running native code in an application context can gain full system access, bypassing Android’s permissions model and having broad access to user data,” says Jann Horn, a Project Zero researcher.
Qualcomm safe, but not the rest
This affected ARM GPU spans three previous generations of architectures, concentrating on brands like Samsung’s Exynos, Google’s Tensor, and MediaTek versions. In this case, Qualcomm uses Adreno for the graphics part, so it remains safe from the rest.
From this perspective, this vulnerability affects millions of smartphones in the world. According to Engadget , Google noted that “the solution provided by Arm is currently being tested for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to meet future SPL requirements.”
ARM has been notified
The Project Zero division indicated that it sent this evaluation to ARM between June and July 2022 hoping for a correction to the vulnerability, which was resolved in August. However, the researchers found through equipment testing that Google and other OEMs have not applied that solution to end-user phones implemented with the Mali graphics embedded.
“Just as users are encouraged to apply patches as quickly as possible once a version containing security updates is available, the same is true for vendors and companies,” Project Zero highlights. “Arguably, minimizing the ‘patch gap’ as a vendor in these scenarios is more important, as end users (or other downstream vendors) are blocking this action before they can receive the security benefits of the patch.”