"There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663, and CVE-2021-28664 may have limited and targeted exploits," Google said in a highlighted one-sentence note.
"CVE" numbers are how computer security professionals refer to known vulnerabilities. According to Google Project Zero researcher Maddie Stone, who tweeted the preliminary update, two of the flaws involve Qualcomm graphics processors, while the other two affect ARM Mali GPUs. At least two of the flaws allow for complete system hijacking.
The "limited and targeted exploits" seem to imply that these flaws are being used by state-sponsored hackers (i.e., international cyberspies) in attacks against specific persons or organizations.
We have seen many limited and targeted attacks against both Android and iOS flaws by Chinese security services against Tibetan and Uyghur dissidents, for example, but no indication of who the participants here are.
To protect yourself against such exploits, remember to install the May Android security patch as soon as it is available for your device; Google's Pixel devices should already be able to install it, as should Samsung's and OnePlus' recent flagship phones should also be able to install it now or soon.
Other phones may have to wait a long time, or even forever, to get the May Android update. That's why you need to pay attention to the Android phone you're using. Especially if you are a potential target of cyber espionage (defense contractors, information security professionals, political activists, journalists, diplomats, corporate executives, politicians, active duty military, etc.).
If your Android device hasn't gotten Google's Android Security Update within 60 days of its release, or hasn't gotten the update at all, it's time for a new phone.
Qualcomm's own May 2021 security bulletin gives CVE-2021-1905 a "high" security threat rating and states that the issue is related to "use after free." This flaw means that a certain amount of running memory is left unprotected, allowing malware to hook running processes. The issue affects about 300 chipsets from Qualcomm, including many of the Snapdragon chips that power its flagship phones.
CVE-2021-1906 is not very serious and has a threat rating of "Medium"; CVE-2021-1906 is classified with a threat rating of "Medium" and is classified as "Detecting error conditions without action in graphics." Improper handling of address deregistration on failure (which can lead to failure to allocate a new GPU address)."
I'm not sure what that means, but it may have something to do with the process failing to "open" and being hooked by a potential attacker. It affects about 350 chipsets at Qualcomm, many of which are identical to the other flaws.
ARM addressed the flaw in March, describing CVE-2021-28663 as allowing "non-privileged users" -- i.e., anyone or anything -- to exploit the "use-after-free scenario" of graphics memory to "gain root privileges and disclose information" . to gain root privileges and disclose information.
ARM does not give this a severity rating, but gaining root privileges, i.e., taking complete control of the system, is pretty high on the list.
CVE-2021-28664 also not only allows the attacker to gain root, but also to "corrupt memory and modify the memory of other processes." This is done by gaining "write access to read-only memory," which is quite interesting. [These flaws affect ARM's Midgard, Bifrost, and Valhall (without A) GPU kernel drivers.
At the time of ARM's March security bulletin, the Bifrost and Valhall drivers had been patched and the Midgard driver was about to be patched. Presumably, this patch will be included in the May Android update.
Comments