Google says the surveillance vendor is targeting zero-day Samsung phones

Google claims it has evidence that a commercial surveillance system vendor exploited three zero-day security vulnerabilities found in newer Samsung smartphones.

Vulnerabilities found in Samsung’s custom software were used together as part of an exploit chain to target Samsung phones running Android. Chaining vulnerabilities allow an attacker to gain kernel read and write privileges as the root user and ultimately expose device data.

Google Project Zero security researcher Maddy Stone said in a blog post that the exploit chain targets Samsung phones with an Exynos chip running a specific version of the kernel. Samsung phones are sold with Exynos chips primarily in Europe, the Middle East and Africa, where the surveillance targets are likely to be located.

Stone said Samsung phones running the affected kernel at the time included S10A50 and A51.

The vulnerabilities, once fixed, were exploited by a malicious Android app that the user may have been tricked into installing outside of the app store. The malicious app allows the attacker to escape the app’s sandbox designed to limit its activity and gain access to the rest of the device’s operating system. Only a component of the exploit application was obtained, Stone said, so it’s not known what the final payload was, even if the three vulnerabilities paved the way for its eventual delivery.

“The first vulnerability in this chain, read and write any file, was the basis of this circuit, used four different times and used at least once in each step,” Stone wrote. “Java components in Android devices are not typically the most popular targets for security researchers, even though they operate at such a privileged level,” Stone said.

Google declined to name the commercial surveillance vendor, but said the exploit followed a pattern similar to recent device infections where malicious Android apps were misused to deliver powerful national spyware.

Earlier this year, security researchers discovered Hermit, an Spyware for Android and iOS developed by RCS Lab and used in targeted attacks by governments, with known victims in Italy and Kazakhstan. Hermit relies on tricking the target into downloading and installing the malicious app, such as a hidden cellular carrier assistance app, outside of the app store, but then quietly steals the victim’s contacts, audio, photos, videos, and detailed location data. Google has started notifying Android users whose devices have been compromised by Hermit. Surveillance systems provider Connexxa is also being used malicious sideloaded applications to target Android and iPhone owners.

Google reported the three vulnerabilities to Samsung in late 2020, and Samsung released patches for the affected phones in March 2021, but did not disclose at the time that the vulnerabilities were being actively exploited. Stone said Samsung has since committed to beginning to disclose when vulnerabilities are being actively exploited, following An apple and Googlewhich also disclose in their security updates when vulnerabilities are attacked.

“Analyzing this chain of exploits has provided us with new and important insights into how attackers target Android devices,” Stone added, hinting that further research could uncover new vulnerabilities in custom software created by device manufacturers with Android, like Samsung.

“This highlights the need for more research into manufacturer-specific components. It shows where we need to do further analysis of options,” Stone said.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *