June 2023 Security Update for Android fixed Arm Mali GPU bug used by spyware

June 2023 security update for Android released by Google fixes about fifty flaws, including an Arm Mali GPU bug exploited by surveillance firms in their spyware.

The June 2023 Android Security Bulletin provides details about the fix for more than fifty vulnerabilities affecting Android devices.

Security updates released this month also addressed a vulnerability, tracked as CVE-2022-22706, that affects the Arm Mali GPU. The flaw made headlines because it was exploited by surveillance firms for their spyware.

CVE-2022-22706, a vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022 and marked as being used in the wild. At the time of delivery, the latest Samsung firmware had not included a fix for this vulnerability. This vulnerability grants the attacker system access.

In March, Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome. The experts pointed out that both campaigns were limited and highly targeted. The threat actors behind the attacks used both zero-day and n-day exploits in their exploits.

The exploit chains were used to install commercial spyware and malicious apps on targets’ devices. The CVE-2022-22706 vulnerability was exploited as part of these exploit chains.

In early April, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including the above issue.

June 2023 Android update includes 2023-06-01 security patch level vulnerability details and 2023-06-05 security patch level vulnerability details.

As usual, the June 2023 Android update is split into two. The first part, which arrives on devices as the 2023-06-01 security patch level, resolves 10 vulnerabilities in the Framework component and 13 bugs in the System component.

Three of these issues are critical-severity remote code execution (RCE) flaws. They are tracked as CVE-2023-21127, CVE-2023-21108, and CVE-2023-21130.

The most severe of these vulnerabilities addressed by Google is a critical security issue that resides in the System component. An attacker can exploit the flaw to achieve remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. The experts pointed out that the issue doesn’t require user interaction for exploitation.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for exploitation,” reads the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, surveillance, spyware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.