Dan Goodin - May 19, 2021 8:45 pm UTC
A computer screen filled with ones and zeros also contains a Google logo and the word hacked." />
Unknown hackers have been exploiting four Android vulnerabilities that allow the execution of malicious code that can take complete control of devices, Google warned on Wednesday.
All four of the vulnerabilities were disclosed two weeks ago in Google’s Android Security Bulletin for May. Google has released security updates to device manufacturers, who are then responsible for distributing the patches to users.
Google’s May 3 bulletin initially didn’t report that any of the roughly 50 vulnerabilities it covered were under active exploitation. On Wednesday, Google updated the advisory to say that there are “indications” that four of the vulnerabilities “may be under limited, targeted exploitation.” Maddie Stone, a member of Google’s Project Zero exploit research group, removed the ambiguity. She declared on Twitter that the “4 vulns were exploited in-the-wild” as zero-days.
Successful exploits of the vulnerabilities “would give complete control of the victim’s mobile endpoint,” Asaf Peleg, vice president of strategic projects for security firm Zimperium, said in an email. “From elevating privileges beyond what is available by default to executing code outside of the current process’s existing sandbox, the device would be fully compromised, and no data would be safe.”
So far, there have been four Android zero-day vulnerabilities disclosed this year, compared with one for all of 2020, according to figures from Zimperium.
Two of the vulnerabilities are in Qualcomm’s Snapdragon CPU, which powers the majority of Android devices in the US and a massive number of handsets overseas. CVE-2021-1905, as the first vulnerability is tracked, is a memory-corruption flaw that allows attackers to execute malicious code with unfettered root privileges. The vulnerability is classified as severe, with a rating of 7.8 out of 10.
The other vulnerability, CVE-2021-1906, is a logic flaw that can cause failures in allocating new GPU memory addresses. The severity rating is 5.5. Frequently, hackers chain two or more exploits together to bypass security protections. That is likely the case with the two Snapdragon flaws.
The other two vulnerabilities under attack reside in drivers that work with ARM graphics processors. Both CVE-2021-28663 and CVE-2021-28664 are also memory-corruption flaws that allow attackers to gain root access on vulnerable devices.
There are no other details about the in-the-wild attacks. Google representatives didn’t respond to emails asking how users can tell if they’ve been targeted.
The skill required to exploit the vulnerabilities has led some researchers to speculate that the attacks are likely the work of nation-state-backed hackers.
“The complexity of this mobile attack vector is not unheard of but is outside the capabilities of an attacker with rudimentary or even intermediate knowledge of mobile endpoint hacking,” Peleg said. “Any attacker using this vulnerability is most likely doing so as part of a larger campaign against an individual, enterprise, or government with the goal of stealing critical and private information.”
It’s not clear precisely how someone would go about exploiting the vulnerabilities. The attacker could send malicious text messages or trick targets into installing a malicious app or visiting a malicious website.
Without more actionable information from Google, it’s impossible to provide helpful advice to Android users except to say that they should ensure all updates have been installed. Those using Android devices from Google will automatically receive patches in the May security rollout. Users of other devices should check with the manufacturer.
Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.