Researchers from Google’s Android Red Team have discovered more than nine vulnerabilities in Adreno GPU, Qualcomm’s popular software used to manage the mobile chips in millions of Android devices. The team spoke about this at the Defcon cybersecurity conference in Las Vegas.
The vulnerabilities, which have now been patched, allowed attackers to gain full control of the device. However, to do this, they first had to gain access to the target device, for example, by tricking the victim into installing a malicious application, Wired explains.
The problem is that any application on Android phones can directly interact with the Adreno GPU driver “without sandboxing or additional checks,” explains Xuan Xing, head of the Android Red Team. While this in itself does not give applications the ability to act maliciously, it does make GPU drivers a bridge between parts of the operating system and its kernel, providing complete control over the entire device, including its memory.
Experts note that GPUs and the software that supports them can become a critical battleground in the field of computer security, since the combination of high implementation complexity and widespread availability is of particular interest to attackers.
Qualcomm has already released patches to original equipment manufacturers (OEMs) in May 2024 and has recommended that end users install security updates from device manufacturers as they become available.