Google claims it has evidence that three zero-day vulnerabilities recently discovered in Samsung mobile phones were exploited by a commercial surveillance company.
What is a Zero-day Attack?
Zero-day attack, which is a very common expression in the cyber security world, describes a cyber attack technique that hackers use to attack systems by targeting security vulnerabilities. While it's often associated with the terms vulnerability, exploit, and threat, it's important to understand the difference.
The flaws found in Samsung's proprietary software were used as part of a chain of attacks targeting Samsung Android-powered smartphones. Chaining flaws give an attacker root read and write access to the kernel, which ultimately exposes data on a device.
According to a blog post by Google Project Zero security researcher Maddie Stone, the Exynos chip running a specific kernel version is the target of the exploit chain. Exynos chips are predominantly used in Samsung phones sold in Europe, the Middle East and Africa, which is where the surveillance targets are most common.
The S10, A50, and A51 were among the Samsung phones Stone mentioned and using the affected kernel at the time.
A malicious Android software that has since been patched exploited loopholes and misled the user into installing it from somewhere other than the app store. The rogue software gives the attacker access to the rest of the device's operating system after successfully escaping the application sandbox, which aims to restrict its activities. Although these three flaws opened the door for eventual delivery of the software, Stone noted that only a fraction of the hacking program was actually achieved.
According to Stone, the foundation of the chain was “the first vulnerability in this chain, arbitrary file reading and writing, used four different times and at least once at each stage”. Despite operating at such a privileged level, Stone noted that "Java components on Android devices do not seem to be the top targets for security researchers."
Google declined to reveal the name of the supplier of commercial surveillance, but claimed the exploit followed a similar pattern to recent device infections, where rogue Android apps were used to spread powerful nation-state spyware.
Hermit, an Android and iOS spyware program created by RCS Lab and used by governments in targeted attacks with known victims in Italy and Kazakhstan, was uncovered by security researchers earlier this year.
Hermit relies on tricking a target into downloading and installing the malicious program from outside the app store, such as a rogue mobile carrier support app, and then collects the victim's contacts, voice recordings, photos, videos, and precise location information.
Google has started notifying Android device owners that Hermit is infected. Surveillance vendor Connexxa also targeted Android and iPhone device owners using malicious sideloaded apps.
Samsung picked up the three vulnerabilities from Google in late 2020, and Samsung patched the vulnerable phones in March 2021. However, Samsung did not disclose that security vulnerabilities were actively used against them at that time. Stone claimed that Samsung has since agreed to begin disclosing when vulnerabilities are actively exploited, joining Apple and Google doing the same with security patches.
“Examination of this open chain has given us new and valuable insight into how attackers are targeting Android devices,” Stone said, implying that further research could reveal new flaws in proprietary software created by Android device manufacturers like Samsung.
“It indicates that more research into manufacturer-specific parts is required. According to Stone, it indicates where more variant studies are needed.