June 2023 Security Update for Android fixed Arm Mali GPU bug used by spyware

June 2023 security update for Android released by Google fixes about fifty flaws, including an Arm Mali GPU bug exploited by surveillance firms in their spyware.

The June 2023 Android Security Bulletin provides details about the fix for more than fifty vulnerabilities affecting Android devices.

Security updates released this month also addressed a vulnerability, tracked as CVE-2022-22706, that affects the Arm Mali GPU. The flaw made headlines because it was exploited by surveillance firms for their spyware.

CVE-2022-22706, a vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022 and marked as being used in the wild. At the time of delivery, the latest Samsung firmware had not included a fix for this vulnerability. This vulnerability grants the attacker system access.

In March, Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome. The experts pointed out that both campaigns were limited and highly targeted. The threat actors behind the attacks used both zero-day and n-day exploits in their exploits.

The exploit chains were used to install commercial spyware and malicious apps on targets’ devices. The CVE-2022-22706 vulnerability was exploited as part of these exploit chains.

In early April, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including the above issue.

June 2023 Android update includes 2023-06-01 security patch level vulnerability details and 2023-06-05 security patch level vulnerability details.

As usual, the June 2023 Android update is split into two. The first part, which arrives on devices as the 2023-06-01 security patch level, resolves 10 vulnerabilities in the Framework component and 13 bugs in the System component.

Three of these issues are critical-severity remote code execution (RCE) flaws. They are tracked as CVE-2023-21127, CVE-2023-21108, and CVE-2023-21130.

The most severe of these vulnerabilities addressed by Google is a critical security issue that resides in the System component. An attacker can exploit the flaw to achieve remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. The experts pointed out that the issue doesn’t require user interaction for exploitation.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for exploitation,” reads the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, surveillance, spyware)