Google has updated the Android May security notice to reflect the fact that four bugs in it have been determined to be under active exploitation in the wild. This means that those who haven’t or can’t apply the May patch on their Android devices will have to live with the fact that their smartphones are vulnerable to malicious attacks. This is not a theoretical possibility or a hypothetical scenario, but the reality is reflected in Google’s Project Zero team list of zero-days.
The bugs are the following:
Because the above flaws affect either Arm Mali or Qualcomm Adreno GPUs, they cannot simultaneously exist on an Android device. As such, if you are running an older Android patch level, you are vulnerable to a couple of them in the worst-case scenario.
As for the details of the exploitation and the targeting of the actors, Google has chosen not to share much with the public. As Shane Huntley explained on Twitter, sometimes researchers need more time to determine these details, so it’s not that they know stuff and hide it on purpose.
Now here lies the problem with Android. The percentage of devices running the latest security patch is dishearteningly low, so most Android devices out there are vulnerable to the aforementioned vulnerabilities. Remember, security updates aren’t bound to the OS version, so someone with Android 10 could still receive the May patch.
Some smartphone vendors continue the support with regular security patches for up to three years. Others deliver them in 3-month or even 6-month batches, and some are delaying the roll-out significantly even if they still deliver them. That said, if you care about your security, pay attention to that detail the next time you are shopping for a smartphone.