According to a blog post by Google Project Zero (via TechCrunch), a trio of zero-day vulnerabilities in some newer Samsung Galaxy phones were being exploited by a commercial surveillance vendor. These companies can be telecommunications or technology companies that track their customers with the aim of monetizing personal data by sending personalized advertisements. Or it could be more sinister (more on that below).
Some Samsung Galaxy handsets using the in-house Exynos chipset had these vulnerabilities
According to Federal Trade Commission, these companies engage in the “collection, aggregation, analysis, storage, transfer, or monetization of consumer data and direct derivatives of such information.” And in addition to harming consumers with these actions, the FTC seeks to collect information showing that these actions lead to psychological harm, reputational damage, and unwanted intrusions that take place while collecting this personal data.
One of the phones exploited was the Samsung Galaxy S10
But this particular situation could be more serious. Whereas Google didn’t name a specific commercial surveillance provider, it said the model resembled a previous exploit that delivered “powerful nation-state spyware” via a malicious Android app. The vulnerabilities found in Samsung’s custom software were part of an exploit chain that would allow the attacker to gain kernel read and write privileges that could potentially reveal personal data on the phone.
The exploit targets Samsung Galaxy handsets powered by an Exynos SoC using kernel 4.14.113. Phones that fit this description include the Samsung Galaxy S10, Galaxy A50, and Galaxy A51. The versions of these phones sold in the United States and China are equipped with a Qualcomm Snapdragon chipset while in most other continents like Europe and Africa, the Exynos SoC is used. Google says the exploit “rely on both Mali GPU driver and DPU driver which are specific to Exynos Samsung phones”.
The problems started when a user was tricked into loading an app on their phone. In this case, sideloading means downloading an app from a third-party Android app store that is not the Google Play Store. Google reported to Samsung about the vulnerabilities in 2020 and although Sammy sent out a patch in March 2021, the company did not mention that the vulnerabilities were being actively exploited.
Google’s Maddie Stone, who wrote the blog post, says, “Analyzing this exploit chain has given us important new insights into how attackers are targeting Android devices. Stone also pointed out that with more research, new vulnerabilities could be discovered in custom software used on Android devices by phone makers like Samsung. Stone added, “This highlights the need for more research into manufacturer-specific components. It shows where we should be doing further variant analysis.”
Use the comments section on the Play Store or a third-party Android app store to check for red flags
Going forward, Samsung has agreed to disclose when its vulnerabilities are actively exploited by joining Apple and Google. These last two manufacturers already alert users when such an event occurs.
Back in June we told you about a spyware called Hermit that has been used by governments on targeted victims in Italy and Kazakhstan. Similar to the security issue found on the three Exynos-powered Galaxy phones, Hermit demanded that a user load a malicious app. Eventually, this malware would steal contacts, location data, photos, videos and audio recordings from victim’s handset.
A quick and dirty rule that might still work these days is to carefully review the comments section before installing an app from a developer you’ve never heard of before. If any red flags appear, quickly flee this app’s listing and never look back. Another good tip is not to load any apps. Yes, apps with malware too often slip through Google Play security, but you’re probably even less likely to get “infected” by sticking to loading apps from the Play Store.
#Samsung #Galaxy #phones #vulnerabilities #exploited #attacker