Traditionally, Android’s big problem is a direct consequence of its great advantage: its extreme freedom. The fact that each manufacturer, or even each operator, can modify the system as it sees fit presupposes a fragmentation with serious consequences, particularly at the level of updating.
[Los Samsung Galaxy han sido vulnerables a código de ejecución: asegúrate de actualizar tu móvil]
Although Android has improved in this regard in recent years, many phones that use the system are being abandoned by their manufacturers, simply because it is difficult to support so many different models. Google has implemented some solutions, such as releasing updates as part of Google services, bypassing manufacturers, but obviously that’s not a panacea when cases like the one we’re discussing today’ today occur.
Security Hole in Android Phones
Last June, Project Zero, the team of cybersecurity specialists formed by Google, published a study in which it revealed the existence of five vulnerabilities that affected Android mobiles, and which could be used together to provide access to system memory and therefore, to anything. wants the aggressor. For example, it is possible bypass android permissions and access data that would normally be beyond the reach of an application.
Specifically, the problem is not in the Android system itself, but in the driver used for the GPU from Mali, which is used in many processors mounted in Android smartphones for 3D graphics and games. The researchers tested the “bug” on Pixel, Xiaomi, Samsung, Oppo and other cell phones, and it was possible to take advantage of it on all of them.
The research team notified Arm, the creator of the chip, and he released a security patch that fixed the “bug” and manufacturers only had to apply it to their systems; As usual with Project Zero, the team waited another 30 days to release the results of their investigations, so manufacturers could do the necessary work, and release the update to users.
Researchers criticize the industry
That could have ended the thing, but far from it, that security hole is still open. This week Project Zero had to come back to this problem which it believed to be closed, because it verified that all the mobiles he tested in his time are still vulnerable
The researchers criticized the affected manufacturers, stating that “in the same way that users should update as soon as possible […] the same goes for distributors and enterprises”, and that in fact they consider it more important that the latter minimize the delay in releasing patches.
It also means Google is criticizing itself, since the Pixels haven’t been updated to plug the hole either; although from the start, Project Zero was born with a guarantee of independence to avoid accusations of favoritism that would affect its credibility.