Google’s Project Zero team, which finds and analyzes zero-day security vulnerabilities, has revealed that an unnamed commercial surveillance company developed spyware that exploited three vulnerabilities specific to Samsung phones equipped with Exynos SoCs. Project Zero managed to obtain a sample of the exploit chain back in 2020 and reported the three vulnerabilities to Samsung. The phone maker then published patches for these vulnerabilities in March 2021. Samsung users should make sure their mobile devices are running SMR-(Samsung Mobile Security)-MAR-2021 or later to prevent a possibly disastrous run-in with spyware leveraging this exploit chain.
Spyware built by commercial surveillance firms is often sold to state actors who may deploy the malicious software in targeted attacks on political dissidents or foreign enemies. Earlier this year, Google published an analysis of a spyware named “Hermit” that was developed by RCS Labs. Spyware maker NSO Group has also frequently been in the news for its Pegasus spyware, which was found on at least nine phones belonging to members of the US State Department. This sort of commercial spyware can be incredibly potent, often leveraging multiple zero-day vulnerabilities. The spyware exploit chain targeting Samsung phones is no different.
Project Zero’s analysis of this exploit chain found that it would allow an app bearing a malicious payload to deliver that payload outside the security sandbox containing the app, facilitating an attack on the operating system. Such an attack might compromise the infected device, turning it into a spying apparatus without the owner’s knowledge. However, the sample analyzed by Google didn’t contain the final payload, so we don’t know exactly what spyware leveraging this exploit chain would do.
The vulnerabilities leveraged in the exploit chain are specific to phones powered by Samsung’s Exynos SoC (system-on-a-chip) and running kernel 4.14.113. Samsung devices that would fit this description at the time Project Zero discovered the exploit chain include the Galaxy S10 lineup, as well as the A50 and A51. The caveat to this list of devices is that Samsung phones in the Galaxy S family sold in the United States bear Qualcomm’s Snapdragon SoCs. However, regardless of the SoC powering users’ Samsung phones, their devices should now be safe from this exploit chain so long as they’ve kept up with security updates.