Google accuses itself (and others) of ignoring security flaws on Android phones for months

Google’s Project Zero, a division that regularly hunts for and reports security vulnerabilities to companies, said in a blog post on Tuesday that five security flaws affecting Android smartphones — that it reported back in June and July — has remained unpatched even months after the same being brought to the attention of phone manufacturers. With the issues linked to semiconductor designer Arm’s ‘Mali’ range of mobile graphics processors, the brands that have been highlighted to have left users at potential risk include Samsung, Xiaomi, Oppo, and — ironically enough — Google itself.

The issues could potentially make it possible for a hacker to gain full access to a user’s device, and have ‘broad’ access to a user’s personal data stored on a phone. Ian Beer, a UK-based ‘white hat’ security researcher who works with Google’s Project Zero, wrote in an official blog post that while Arm, the chip designer, fixed the issues from its own end by August itself, no fixes for the vulnerabilities were issued by any of the above-mentioned phone brands so far.

A vulnerability, once discovered, is typically reported to the companies that offer the underlying technologies — such as the firmware of a chip. Once these companies, also referred to as ‘upstream’ companies, issue a fix to the software flaws on their end, the same is then relayed to the consumer-end firm that now needs to incorporate a security patch within their software interface.

A typical unpatched security flaw, also known as a ‘zero-day’, is usually reported to companies under full non-disclosure — and is revealed only in public after a security patch for the same has been issued. The reason behind this is to ensure that hackers with malicious intentions do not end up using the information to target users — which, in this case, could have led to users seeing personal data being stolen from their phones.

It is not clear as to why Google, Oppo, Samsung and Xiaomi have not updated their phone firmware with these patches. The companies have not offered a statement so far on the matter, three days since Project Zero disclosed that the issues have remained without any security patch for months.