Google Says Surveillance Vendor Targeted Samsung Phones With Zero-Days (techcrunch.com) 5
Google says it has evidence that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities found in newer Samsung smartphones. From a report: The vulnerabilities, discovered in Samsung's custom-built software, were used together as part of an exploit chain to target Samsung phones running Android. The chained vulnerabilities allow an attacker to gain kernel read and write privileges as the root user, and ultimately expose a device's data. Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain targets Samsung phones with a Exynos chip running a specific kernel version. Samsung phones are sold with Exynos chips primarily across Europe, the Middle East, and Africa, which is likely where the targets of the surveillance are located.
Stone said Samsung phones running the affected kernel at the time include the S10, A50, and A51. The flaws, since patched, were exploited by a malicious Android app, which the user may have been tricked into installing from outside of the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity, and access the rest of the device's operating system. Only a component of the exploit app was obtained, Stone said, so it isn't known what the final payload was, even if the three vulnerabilities paved the way for its eventual delivery.
Stone said Samsung phones running the affected kernel at the time include the S10, A50, and A51. The flaws, since patched, were exploited by a malicious Android app, which the user may have been tricked into installing from outside of the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity, and access the rest of the device's operating system. Only a component of the exploit app was obtained, Stone said, so it isn't known what the final payload was, even if the three vulnerabilities paved the way for its eventual delivery.
Those aren't "newer" phones (Score:4, Informative)
Samsung Lacks Timely Updates or Why I Buy Pixel (Score:4, Insightful)
My post's title says it all.
Name and shame please (Score:3)
Google declined to name the commercial surveillance vendor, but said the exploitation follows a pattern similar to recent device infections where malicious Android apps were abused to deliver powerful nation-state spyware.
Why would Google not name the vendor that shipped malware as part of their application? Perhaps if companies expected that shipping malware (or just really crappy software for that matter) would get them negative press, companies might put a higher value on shipping secure software and being more careful about their software supply chains (and build processes).