Google says it has evidence that a commercial surveillance provider was exploiting three zero-day security vulnerabilities found in new Samsung smartphones.
The vulnerabilities, discovered in Samsung’s custom software, were used together as part of a chain of exploits to target Samsung phones running Android. Chained vulnerabilities allow an attacker to obtain kernel read and write privileges as the root user and ultimately expose a device’s data.
Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain targets Samsung phones with an Exynos chip running a specific version of the kernel. Samsung phones are sold with Exynos chips mainly in Europe, the Middle East and Africa, where the surveillance targets are likely to be found.
Stone said Samsung phones running the affected kernel at the time include the S10, A50, and A51.
The flaws, since they have been fixed, have been exploited by a malicious Android app, which the user may have been tricked into installing from outside the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity and access the rest of the device’s operating system. Only one component of the exploit app was obtained, Stone said, so it’s unknown what the final payload was, although the three vulnerabilities paved the way for its eventual delivery.
“The first vulnerability in this chain, the arbitrary file read and write, was the basis of this chain, used four different times and used at least once in each step,” Stone wrote. “Java components in Android devices don’t tend to be the most popular targets for security researchers, despite working at such a privileged level,” said Stone.
Google declined to name the commercial surveillance provider, but said the exploitation follows a similar pattern to recent device infections where malicious Android apps have been abused to deliver powerful nation-state spyware.
Earlier this year, security researchers discovered Hermit, an Android and iOS spyware developed by RCS Lab and used in targeted attacks by governments, with known victims in Italy and Kazakhstan. Hermit relies on a target’s deception to download and install the malicious app, such as a disguised mobile carrier assistance app, from outside the app store, but then silently steals a victim’s contacts. audio recordings, photos, videos and granular location data. Google has started notifying Android users whose devices have been compromised by Hermit. Surveillance provider Connexxa has also used malicious sideloading apps to target both Android and iPhone owners.
Google reported the three vulnerabilities to Samsung in late 2020, and Samsung rolled out patches to affected phones in March 2021, but did not disclose at the time that the vulnerabilities were being actively exploited. Stone said Samsung has since made a commitment to start disclosing when vulnerabilities are actively exploited, following Apple and Google, which they also disclose in their security updates when vulnerabilities are under attack.
“The analysis of this exploit chain has provided us with new and important insights into how attackers target Android devices,” added Stone, noting that further research could uncover new vulnerabilities in custom software created by device manufacturers. Android, like Samsung.
“It highlights the need for further research on manufacturer-specific components. It shows where we should do further variant analysis, ”said Stone.