Google says it has evidence that a commercial surveillance vendor exploited three zero-day security vulnerabilities in newer Samsung smartphones.
The vulnerabilities, discovered in Samsung’s custom software, were used together as part of an exploit chain to target Samsung phones running Android. The chained vulnerabilities allow an attacker to gain read and write permissions from the kernel as a root user, ultimately exposing a device’s data.
Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain is targeting Samsung phones with an Exynos chip with a specific kernel version. Samsung phones are mainly sold with Exynos chips in Europe, the Middle East and Africa, where the surveillance targets are likely to be.
Stone said Samsung phones with the affected kernel at the time were the S10, A50 and A51.
The bugs, ever since they were patched, have been exploited by a malicious Android app, which may have tricked the user into installing it from outside the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity and gain access to the rest of the device’s operating system. Only part of the exploit app was obtained, Stone said, so it’s unknown what the final payload was, even if the three vulnerabilities paved the way for final delivery.
“The first vulnerability in this chain, the random file read and write, was the foundation of this chain, used four different times and at least once in each step,” Stone wrote. “The Java components in Android devices aren’t usually the most popular targets for security researchers, despite running at such a privileged level,” Stone says.
Google declined to name the commercial surveillance vendor, but said its exploitation follows a pattern similar to recent device infections where malicious Android apps were exploited to deliver powerful spyware to nation states.
Earlier this year, security researchers discovered Hermit, an Android and iOS spyware developed by RCS Lab and used in targeted attacks by governments, with known victims in Italy and Kazakhstan. Hermit relies on tricking a target into downloading and installing the malicious app, such as a disguised mobile phone assistance app, from outside the app store, but then silently steals the contacts, audio recordings, photos, videos, and detailed information. location data of a victim. Google started notifying Android users whose devices have been compromised by Hermit. Surveillance provider Connexxa also used malicious sideloaded apps to attack both Android and iPhone owners.
Google reported the three vulnerabilities to Samsung at the end of 2020, and Samsung rolled out patches to affected phones in March 2021, but did not disclose at the time that the vulnerabilities were being actively exploited. Stone said Samsung has since pledged to disclose when vulnerabilities are actively exploited, following Apple and Google, who also disclose in their security updates when vulnerabilities are attacked.
“The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices,” Stone added, indicating that further research could uncover new vulnerabilities in custom software built by Android manufacturers. devices, such as Samsung.
“It highlights the need for more research into manufacturer-specific components. It shows where we should do further variant analysis,” said Stone.