article featured image


Google’s Project Zero team revealed that four Android security vulnerabilities were exploited in the wild as zero-day bugs before being patched in early May.

According to a recently updated version of the May 2021 Android Security Bulletin,

There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663, and CVE-2021-28664 may be under limited, targeted exploitation.


The four vulnerabilities impact Qualcomm Graphics and Arm Mali GPU Driver modules:

  • CVE-2021-1905 (CVSS score: 8.4) – Possible use-after-free flaw in Qualcomm’s graphics component due to improper handling of memory mapping of multiple processes simultaneously.
  • CVE-2021-1906 (CVSS score: 6.2) – Improper handling of address deregistration on failure can lead to new GPU address allocation failure.
  • CVE-2021-28663 (CVSS score: NA) – The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free.
  • CVE-2021-28664 (CVSS score: NA) – The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages.

If a threat actor successfully exploits these weaknesses, he could easily get access to the targeted device and take control over it. However, it is not clear how the attacks themselves were carried out, who may have been targeted, or the threat actors that may be abusing them.

This is one of the rare instances where zero-day bugs in Android have been spotted in real-world cyber offensives.

Back in March, a zero-day vulnerability tracked as CVE-2020-11261 had affected Android devices using Qualcomm chipsets, and from the data that Google provided, the threat actors were actively exploiting the vulnerability in the wild. The issue was then rated as high severity because it required local access to be exploited, meaning that attackers needed physical access to the vulnerable device.

Earlier this month, a security flaw affecting Qualcomm’s mobile station modems (MSM) was disclosed by Check Point’s research team, who claims that the vulnerability could be exploited to inject malicious code into the phone by using the Android OS as an entry point. The impacted chip(s) are reportedly responsible for connecting nearly 40% of all smartphones in the world, including high-end phones from Samsung and other OEMs.

Author Profile

Cezarina Dinu

Head of Marketing Communications & PR

linkedin icon

Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.

Leave a Reply

Your email address will not be published. Required fields are marked *