Your new GPU might actually be a mega security risk

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

Experts have warned about a new type of malware threat that uses your graphics card to stay off the radar of antivirus apps.

As reported by Bleeping Computer, the malware executes via the GPU in its memory buffer, staying hidden from any security apps that could be watching the system RAM for signs of anything suspicious.

The proof-of-concept (PoC) threat has apparently been sold on a hacker forum to an unknown party, who will presumably be leveraging the code to make some kind of functional malware to release into the wild.

Multiple GPUs affected

The seller of the PoC explains that it works on Windows systems (with OpenCL 2.0 or better support), and has been tested across a small number of GPUs from all major manufacturers. 

That means AMD, Intel and Nvidia graphics solutions, including the Nvidia GTX 1650 and AMD Radeon RX 5700, as well as Intel integrated graphics in CPUs (Intel UHD 620 and 630).

Note that integrated GPUs use system memory, of course, but there are still chunks of that set aside for the graphics system which can be used in the same way for stealthily hiding malware as the dedicated VRAM on-board a discrete video card.

Analysis: Worrying – but let’s not get carried away just yet

Before we start proclaiming panic stations in the GPU world, remember that nothing has actually come of this thus far. At the moment, this is just a report about a claimed PoC that hasn’t been turned into anything which might threaten your PC – not yet, anyway, but watch this space (or rather, watch that GPU memory space). The tool was supposedly sold on August 25, incidentally, just a week ago.

Furthermore, the idea of using the GPU to push malware onto a PC in this manner isn’t a new one. As Bleeping Computer observes, demo code for this kind of exploit leveraging graphics cards has been floating around before in the academic space, and we’ve even seen ‘JellyFish’, a PoC for a GPU rootkit aimed at Linux systems way back in 2015. Another hacker actually pointed out the latter in the forum where the new PoC was sold.

Still, even if this is nothing new as such, the author promises that their fresh creation isn’t anything to do with JellyFish, and that the method used here is ‘different and does not rely on code mapping back to userspace’.

In short, there are ominous rumblings here, then, that this does have the potential to develop into something worrying. And if it’s capable of affecting a range of GPUs as testing suggests – including the likes of Intel integrated graphics which have supposedly been proven to be affected – then that really is a concern. Most Windows PCs out there are laptops, after all, running Intel processors in the main.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).