Google Says Surveillance Vendor Targeted Samsung Phones With Zerodays
Google says it has evidence that a commercial surveillance provider exploited three zero-day vulnerabilities discovered in new Samsung smartphones.
Vulnerabilities discovered in custom Samsung software were used together as part of an exploit chain to target Samsung Android phones. Chained vulnerabilities allow an attacker to gain read and write privileges to the kernel as the root user, ultimately exposing data on the device.
Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain targets Samsung phones with an Exynos chip that uses a special version of the kernel. Samsung phones with Exynos chips are mainly sold in Europe, the Middle East and Africa, where surveillance targets are likely.
Stone said the Samsung phones that used the core in question at the time were the S10, A50 and A51.
The bugs fixed after the patch were exploited by Android malware that the user may have installed outside of the App Store. The malware allows an attacker to escape the software sandbox, which is designed to store their activities and gain access to the rest of the device's operating system. Only one component of the payload was preserved, Stone said, so it's unclear what the final payload was, though three voids indicated its final delivery.
"The first vulnerability in this chain, arbitrary file reading and writing, was at the core of this chain, exploited four times and at least once at each step," Stone wrote. "Java components on Android devices, despite running at such a privileged level, are typically not the most popular targets for security researchers," Stone said.
Google declined to name the commercial surveillance provider, but said the exploit followed a similar pattern to recent device infections that hijacked malicious Android apps to deliver powerful native spyware.
Earlier this year, security researchers discovered Hermit, an Android and iOS spyware developed by RCS Labs that was used in government-led attacks on known victims in Italy and Kazakhstan. Hermit relies on tricking the target into downloading and installing malware, such as a mobile phone support app disguised outside of the App Store, but then silently steals the victim's contacts, audio recordings, photos, videos, and precise location data. . Google has started alerting Android users whose devices have been compromised by Hermit. Surveillance provider Connexxa also used locally downloaded malware to attack Android and iPhone users.
Google notified Samsung of the three vulnerabilities in late 2020, and Samsung deployed patches to affected phones in March 2021, but then did not disclose whether the vulnerabilities were being actively exploited. According to Stone, Samsung has since committed to proactively disclosing exploits, and Apple and Google also report exploits in their security updates.
"Analysis of this exploit chain gave us important new insights into how attackers target Android devices," Stone said, adding that further research could reveal new vulnerabilities in proprietary software from Android device manufacturers like Samsung.
“This highlights the need for further research on proprietary components. It shows where we need to do more options analysis," Stone said.
Google says surveillance vendor is targeting zero-day Samsung phones Zack Whittaker was originally published on TechCrunch
