New GPUAF Method Discovered for Complete Takeover of Android Phones

In today’s world, smartphones are far more than communication tools—they have become central hubs for our personal lives, financial transactions, and business operations. Devices running the Android operating system, particularly those powered by Qualcomm processors, are among the most widely used globally. However, a newly discovered exploitation method called GPUAF (GPU Use-After-Free) poses a serious threat to the security of these devices. Developed by senior mobile security researchers Pan Zhenpeng and Jheng Bing Jhong from STAR Labs, this technique enables root access on nearly all Qualcomm-based Android phones, granting full control over the system.

Rooting is a technique that allows users or attackers to gain privileged control over the operating system, bypassing restrictions set by manufacturers or carriers. However, the GPUAF method is highly dangerous from a cybersecurity perspective, as it chains multiple vulnerabilities in Qualcomm’s GPU drivers to achieve complete system takeover. This vulnerability affects devices from brands such as Samsung, Xiaomi, Honor, and Vivo.

The researchers detailed three critical vulnerabilities exploited in this method:

1. CVE-2024-23380: A race condition in the Kgsl VBO map buffer, caused by multiple processes accessing memory simultaneously.
2. CVE-2024-23373: A Use-After-Free vulnerability at the page level, triggered when unmap operations fail, leading to re-accessing freed memory.
3. Third flaw: Premature destruction of page table entries, causing inconsistencies between the GPU driver’s internal structures and IOMMU mappings.

In their technical report, the researchers explained: “By chaining these vulnerabilities, we create inconsistencies between the GPU driver’s internal structures and IOMMU mappings. This allows freed memory pages to remain accessible via the GPU, enabling an attacker to control the system.”

The GPUAF method offers two distinct exploitation paths, each allowing full system control:

1. Page Table Manipulation

This approach reclaims freed memory pages as ARM64 page tables. By manipulating these tables, attackers can alter protection bits (AP[2:1]) to make read-only memory writable:

Through page table manipulation, SELinux protection is disabled by overwriting the selinux_state structure, enabling root privileges.

This method can bypass advanced security mechanisms, such as Samsung’s Enhanced SELinux and KNOX hypervisor protections, including those operating at EL2 (Exception Level 2).

2. Pipe Buffer Exploitation

The second technique reclaims freed pages as pipe_buffer structures:

With the PIPE_BUF_FLAG_CAN_MERGE flag set, the copy_page_to_iter and copy_page_from_iter functions enable arbitrary read/write capabilities.

This approach allows arbitrary modification and reading of system memory, serving as an alternative path to root access.

The GPUAF method impacts a wide range of Qualcomm-powered devices, including:

• Samsung Galaxy S series (models without Exynos chips).
• Xiaomi phones (e.g., Xiaomi 14, 14 Pro, Redmi Note 13 Pro).
• Honor phones (e.g., x9b, 90).
• Vivo phones (e.g., iQOO Z9s Pro, T3 Pro).

The researchers emphasized that the attack’s most dangerous aspect is its broad applicability and ability to bypass hardware-backed security measures. For instance, Samsung’s KNOX and Enhanced SELinux protections are rendered ineffective against GPUAF. This attack poses a significant threat not only to individual users but also to corporate systems and critical infrastructures.

A successful attack enables the installation of persistent malware, theft of sensitive data, and even complete device control. This risk is particularly severe for networks handling confidential information, such as those in healthcare, finance, and government sectors.

Qualcomm has released patches to address these vulnerabilities, but security experts strongly urge users to update their devices immediately. Updates are distributed by manufacturers (Samsung, Xiaomi, Honor, Vivo) through software releases. The update process typically involves:

1. Open the Settings app.
2. Navigate to Software Update or System Update.
3. Download and install the latest security patch.

If an update is not yet available for your device, regularly check the security section on the manufacturer’s official website.

In Uzbekistan, Android phones, particularly Qualcomm-powered Samsung, Xiaomi, and Vivo devices, are widely popular. This vulnerability poses a serious threat to Uzbekistani users as well, given that cybercriminals operate globally. The following measures are recommended for users in Uzbekistan:

• Update Devices: Install the latest security patches to protect your device.
• Avoid Untrusted Apps: Install only verified apps from the Google Play Store and avoid downloading software from unknown sources.
• Use Security Software: Reliable antivirus programs like Bitdefender, Kaspersky, or Malwarebytes provide an additional layer of protection.
• Back Up Data: Regularly create backups of your data via iCloud, Google Drive, or local storage devices.
• Stay Informed About Cybersecurity: Follow cybersecurity resources in Uzbek, such as Telegram channels with hashtags like #KiberXavfsizlik or #XavfsizInternet.

As Uzbekistan’s IT sector rapidly develops, knowledge and vigilance in cybersecurity are more critical than ever. Local businesses and organizations are advised to engage security experts and conduct regular security audits to protect their networks.

The GPUAF method is considered a significant breakthrough in Android exploitation. It demonstrates how GPU driver vulnerabilities can be chained to achieve full system compromise, underscoring the need for robust, multi-layered security in mobile devices.

According to the researchers, “The attack’s broad applicability and ability to bypass hardware-backed security measures make it particularly concerning.” This case serves as a warning not only for Qualcomm but also for other processor manufacturers and operating system developers. Ensuring security requires strengthening both software and hardware protection mechanisms.

The GPUAF technique has exposed a critical gap in the security of Qualcomm-based Android phones. The ability to escalate from ordinary user privileges to root access highlights the need for constant vigilance in cybersecurity. While Qualcomm and manufacturers have released patches to address the vulnerabilities, users must update their devices and adopt precautions to secure themselves.

Cybersecurity is not just a technical issue but a responsibility for every user and organization. Creating a secure digital environment in Uzbekistan and worldwide demands knowledge, caution, and prompt action. If you have further questions or need assistance securing your Android device, feel free to reach out—I’ll explain each step in detail!