Google has warned that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities in new Samsung smartphones that could have been exploited to steal users' data.All three vulnerabilities were in the manufacturer's custom components rather than in the Android Open Source Project (AOSP) platform or the Linux kernel.
"It's also interesting to note that 2 out of the 3 vulnerabilities were logic and design vulnerabilities rather than memory safety," said Maddie Stone, Project Zero."While we understand that Samsung has yet to annotate any vulnerabilities as in-the-wild, going forward, Samsung has committed to publicly sharing when vulnerabilities may be under limited, targeted exploitation, as part of their release notes," Stone added in a blog post.
"We hope that, like Samsung, others will join their industry peers in disclosing when there is evidence to suggest that a vulnerability is being exploited in-the-wild in one of their products".The Google Threat Analysis Group (TAG) obtained a partial exploit chain for Samsung devices that it believes belonged to a commercial surveillance vendor.
"All 3 vulnerabilities are within Samsung custom components, including a vulnerability in a Java component," said the team.The exploit sample targeted Samsung phones running kernel 4.14.113 with the Exynos SOC.
"Samsung phones run one of two types of SOCs depending on where they're sold. For example the Samsung phones sold in the United States, China, and a few other countries use a Qualcomm SOC and phones sold in most other places (example Europe and Africa) run an Exynos SOC," said the Google team.
Examples of Samsung phones that were running kernel 4.14.113 in late 2020 (when this sample was found) include the S10, A50, and A51 smartphones, the team added."The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices. It highlights a need for more research into manufacturer specific components," said Google.