Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Google Reveals Spyware Vendor’s Use of Samsung Phone Zero-Day Exploits

Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still had a zero-day status.

Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still had a zero-day status.

The flaws, tracked as CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370, have been chained and exploited against Android phones, but they impact custom Samsung components. The security holes have been described as an arbitrary file read/write issue via a custom clipboard content provider, a kernel information leak, and a use-after-free in the display processing unit driver.

“All three vulnerabilities in this chain were in the manufacturer’s custom components rather than in the AOSP platform or the Linux kernel. It’s also interesting to note that 2 out of the 3 vulnerabilities were logic and design vulnerabilities rather than memory safety,” explained Google Project Zero’s Maddie Stone.

Google’s researchers have not identified the application used to deliver the exploit or the final payload deployed by the attacker. However, they determined that the vulnerabilities have been used to write a malicious file to the targeted device, bypass security mechanisms, and obtain kernel read and write access.

Google reported the vulnerabilities to Samsung in late 2020, when it found exploit samples. The tech giant released patches in March 2021.

According to Google, the kernel versions targeted by the exploit were running on Samsung S10, A50 and A51 smartphones in late 2020.

Google’s Threat Analysis Group believes the exploit has been developed by a commercial surveillance vendor. While that vendor has not been named, Google noted that the method used for initial code execution via an application is similar to other campaigns, including one targeting Apple and Android smartphones in Italy and Kazakhstan, which has been linked to Italian company RCS Lab.

Advertisement. Scroll to continue reading.

Google is aware of half a dozen other Samsung vulnerabilities with 2021 CVE identifiers that have been exploited in attacks, but details have yet to be disclosed.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added the three Samsung vulnerabilities to its known exploited vulnerabilities catalog, instructing government agencies to patch them until November 29.

Project Zero pointed out that Samsung’s advisories still do not mention in-the-wild exploitation of these vulnerabilities, but the vendor has allegedly promised that in the future it will warn customers when malicious exploitation is detected.

“Labeling when vulnerabilities are known to be exploited in-the-wild is important both for targeted users and for the security industry. When in-the-wild 0-days are not transparently disclosed, we are not able to use that information to further protect users, using patch analysis and variant analysis, to gain an understanding of what attackers already know,” Stone said.

Related: Sophisticated Android Spyware ‘Hermit’ Used by Governments

Related: Exploitation of Recent Chrome Zero-Day Linked to Israeli Spyware Company

Related: Samsung Patches Critical 0-Click Vulnerability in Smartphones

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...