Google has revealed that opponents are patching a now patched vulnerability affecting Android devices that use Qualcomm chips to launch targeted attacks.
Traced as CVE-2020-11261 (CVSS Score 8.4), the flaw relates to the issue of “improper input validation” in the Qualcomm Graphics component that could be used to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of device memory.
“There are indications that CVE-2020-11261 may be under limited, targeted exploitation,” the search giant said in a January 18 security bulletin updated March 18.
CVE-2020-11261 was discovered and reported to Qualcomm by Google’s Android Security team on July 20, 2020, after which it was determined in January 2021.
It is worth noting that the access vector for the vulnerability is “local,” which means exploitation requires local access to the device. That is, to launch a successful attack, the evil actor must either physically access the vulnerable smartphone or use other means – e.g., watering hole – to distribute malicious code and initiate the attack chain.
Although specific details of the attacks, the identity of the attacker, or the targeted victims have not been released, it is not unusual for Google to prevent the sharing of such information to prevent other threat actors from exploiting vulnerability.
If anything, the development again underlines the need to install monthly security updates promptly as soon as they become available to prevent exploitation of Android devices. We’ve reached out to Google for comments and will update this article if we hear back.