Keep Me Updated: An Empirical Study of Proprietary Vendor Blobs in Android Firmware

TL;DR

This study analyzes proprietary vendor blobs in Android firmware, revealing outdated components and security vulnerabilities, and emphasizes the need for timely updates to enhance system security.

Contribution

It provides the first large-scale empirical analysis of vendor blobs, focusing on GPU components, and introduces a new fuzzer to detect security bugs without physical device access.

Findings

82% of firmware have outdated GPU blobs

Discovered 289 security and behavioral bugs

Vulnerabilities can be exploited via WebGL

Abstract

Despite extensive security research on various Android components, such as kernel or runtime, little attention has been paid to the proprietary vendor blobs within Android firmware. In this paper, we conduct a large-scale empirical study to understand the update patterns and assess the security implications of vendor blobs. We specifically focus on GPU blobs because they are loaded into every process for displaying graphics user interfaces and can affect the entire system's security. We examine over 13,000 Android firmware releases between January 2018 and April 2024. Our results reveal that device manufacturers often neglect vendor blob updates. About 82\% of firmware releases contain outdated GPU blobs (up to 1,281 days). A significant number of blobs also rely on obsolete LLVM core libraries released more than 15 years ago. To analyze their security implications, we develop a performant fuzzer that requires no physical access to mobile devices. We discover 289 security and behavioral bugs within the blobs. We also present a case study demonstrating how these vulnerabilities can be exploited via WebGL. This work underscores the critical security concerns associated with vulnerable vendor blobs and emphasizes the urgent need for timely updates from device manufacturers.