Android is the most popular mobile operating system in terms of numbers, and that happens for many reasons.
The operating system is extremely flexible and capable. It's also open sourced, and also customizable for both developers and end users. While these provide huge advantages over its competitor, like against Apple's iOS, the advantages come with disadvantages, apparently.
And among the most concerning, is zero-days vulnerabilities that couldn't be patched as fast as possible to all all devices.
According to Google's "Project Zero" team of security analysts who work day and night to rid the world of zero-day security vulnerabilities, the team said that Android and Pixel teams aren't dealing with bugs in the ARM GPU driver quickly enough.
The matter of concern, is a wildly-exploited vulnerability on a number of ARM-made GPU drivers.
Back in June, Project Zero researchers detailed an in-the-wild exploit for the phone, where bugs in the ARM GPU driver could let a non-privileged user get write access to its read-only memory, saying that "an attacker with native code execution in an app context [to] gain full access to the system, bypassing Android's permissions model and allowing broad access to user data."
Over the next three weeks, the team found five exploitable vulnerabilities.
RIP the feature that was there forever and nobody wanted to report :)
— w0 (@jgrusko) September 19, 2022
In a blog post, the researchers at Project Zero said that they've reported these issues to ARM "between June and July 2022" and that ARM fixed the issues "promptly" in July and August, issuing a security bulletin (CVE-2022-36449) and publishing fixed source code.
However, the actively exploited vulnerabilities haven't been patched for users.
The researchers blamed it on Google and other Android manufacturers, saying that months after ARM fixed the vulnerabilities, "all of our test devices which used Mali are still vulnerable to these issues. CVE-2022-36449 is not mentioned in any downstream security bulletins."
The affected ARM GPUs include a long list of the past three generations of ARM GPU architectures (Midgard, Bifrost, and Valhall), ranging from 2022 devices to phones introduced back in 2016.
It's worth noting that ARM's GPUs aren't used by Qualcomm chips.
The affected ARM GPUs are used by Google's Tensor SoC in the Pixel 6, 6a, and 7, as well as on Samsung's Exynos SoC on the company's mid-ranged Android phones and older flagships.
It that isn't bad enough, the affected ARM GPUs are also used on all Mediatek's SoCs, meaning that millions of Android devices from just about every Android OEM are affected by the bugs.
"Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies," said the researchers at Project Zero analysts.
"Minimizing the 'patch gap' as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch. Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible."
The team suggests that the best of solutions to tightening up the lag between the time a patch is issued and reaches the wider ecosystem, is to remain vigilant.
In response to the finding, Google gave some insight.
"The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements," said Google.