Surveillance vendor targeted Samsung smartphones with zero-day bugs: Google


New Delhi, Nov 11 (IANS): Google has warned that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities in new Samsung smartphones that could have been exploited to steal users' data.

All three vulnerabilities were in the manufacturer's custom components rather than in the Android Open Source Project (AOSP) platform or the Linux kernel.

"It's also interesting to note that 2 out of the 3 vulnerabilities were logic and design vulnerabilities rather than memory safety," said Maddie Stone, Project Zero.

"While we understand that Samsung has yet to annotate any vulnerabilities as in-the-wild, going forward, Samsung has committed to publicly sharing when vulnerabilities may be under limited, targeted exploitation, as part of their release notes," Stone added in a blog post.

"We hope that, like Samsung, others will join their industry peers in disclosing when there is evidence to suggest that a vulnerability is being exploited in-the-wild in one of their products".

The Google Threat Analysis Group (TAG) obtained a partial exploit chain for Samsung devices that it believes belonged to a commercial surveillance vendor.

"All 3 vulnerabilities are within Samsung custom components, including a vulnerability in a Java component," said the team.

The exploit sample targeted Samsung phones running kernel 4.14.113 with the Exynos SOC.

"Samsung phones run one of two types of SOCs depending on where they're sold. For example the Samsung phones sold in the United States, China, and a few other countries use a Qualcomm SOC and phones sold in most other places (example Europe and Africa) run an Exynos SOC," said the Google team.

Examples of Samsung phones that were running kernel 4.14.113 in late 2020 (when this sample was found) include the S10, A50, and A51 smartphones, the team added.

"The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices. It highlights a need for more research into manufacturer specific components," said Google.

 

  

Top Stories


Leave a Comment

Title: Surveillance vendor targeted Samsung smartphones with zero-day bugs: Google



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.