The Project Zero team at Google revealed that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities in newer Samsung smartphone models to spy on people and steal user data.
The three Samsung phone vulnerabilities disclosed by Google’s Threat Analysis Group (TAG) are CVE-2021-25337, CVE-2021-25369, and CVE-2021-25370.
When Google found exploit samples in the late 2020s, it immediately reported these vulnerabilities to Samsung, which have all been patched since by the company in its March 2021 release.
Further, the vulnerabilities, discovered in Samsung’s custom-built software of the devices, were all used together as part of an exploit chain to target Samsung phones running Android.
The chained vulnerabilities would allow the attacker to obtain kernel read and write privileges as the root user, which could eventually disclose personal data on the device.
In addition, the exploit chain targeted Samsung phones running kernel 4.14.113 with the Exynos SOC. According to Google, the models that were affected in the late 2020s were Samsung’s Galaxy S10, Galaxy A50, and Galaxy A51 and running kernel 4.14.113.
Samsung phones with Exynos SOC are primarily sold across Europe and Africa, which were likely where the targets of the surveillance were located. The exploit sample relies on both the Mali GPU driver and the DPU driver that are specific to the Exynos Samsung phones.
The three zero-day vulnerability issues that were discovered by Google’s TAG team are:
- CVE-2021-25337 – Arbitrary file read/write vulnerability via unprotected clipboard content provider: An improper access control in clipboard service in Samsung mobile devices allows untrusted applications to read or write certain local files.
- CVE-2021-25369 – Potential kernel information exposure from sec_log: An improper access control vulnerability in sec_log file exposes sensitive kernel information to userspace.
- CVE-2021-25370 – Memory corruption in Display Processing Unit (DPU) driver: An incorrect implementation handling file descriptor in dpu driver results in memory corruption leading to kernel panic.
The flaws were reportedly exploited by a malicious Android app, likely sideloaded, tricking users into installing from outside of Google Play Store. The malicious app allowed the attacker to escape the app sandbox and access the remaining of the device’s operating system. It, however, isn’t yet known what the final payload actually was.
“The first vulnerability in this chain, the arbitrary file read and write, was the foundation of this chain, used four different times and used at least once in each step,” Maddie Stone, a Google Project Zero security researcher, wrote in a blog post describing the threat.
“The Java components in Android devices don’t tend to be the most popular targets for security researchers despite it running at such a privileged level.”
Stone further added, “All three vulnerabilities in this chain were in the manufacturer’s custom components rather than in the AOSP platform or the Linux kernel. It’s also interesting to note that 2 out of the 3 vulnerabilities were logic and design vulnerabilities rather than memory safety.”
The above vulnerabilities were chained by the commercial surveillance vendor to compromise the Samsung phones.
While Google has not revealed the surveillance vendor’s name, the tech giant highlighted the similarities with other campaigns that targeted Apple and Android users in Italy and Kazakhstan, which has been linked to Italian company RCS Lab.
Stone noted that the advisories published by Samsung at that time did not mention that the vulnerabilities were being actively exploited, but it has since committed to begin disclosing when vulnerabilities are actively exploited, following in the footsteps of Apple and Google, who disclose vulnerabilities that are under attack in their security updates.
“Labeling when vulnerabilities are known to be exploited in-the-wild is important both for targeted users and for the security industry. When in-the-wild 0-days are not transparently disclosed, we are not able to use that information to further protect users, using patch analysis and variant analysis, to gain an understanding of what attackers already know,” concludes the blog post.
“The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices. It highlights a need for more research into manufacturer specific components. It shows where we ought to do further variant analysis.”