The flaws, tracked as CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370, have been chained and exploited against Android phones, but they impact custom Samsung components. The security holes have been described as an arbitrary file read/write issue via a custom clipboard content provider, a kernel information leak, and a use-after-free in display processing unit driver.
“All three vulnerabilities in this chain were in the manufacturer’s custom components rather than in the AOSP platform or the Linux kernel. It’s also interesting to note that 2 out of the 3 vulnerabilities were logic and design vulnerabilities rather than memory safety,” explained Google Project Zero’s Maddie Stone.
Malware on the Google Play store leads to harmful phishing sites
Google’s researchers have not identified the application used to deliver the exploit or the final payload deployed by the attacker. However, they determined that the vulnerabilities have been used to write a malicious file to the targeted device, bypass security mechanisms, and obtain kernel read and write access.
Google reported the vulnerabilities to Samsung in late 2020, when it found exploit samples. The tech giant released patches in March 2021.
According to Google, the kernel versions targeted by the exploit were running on Samsung S10, A50 and A51 smartphones in late 2020.
Google’s Threat Analysis Group believes the exploit has been developed by a commercial surveillance vendor. While that vendor has not been named, Google noted that the method used for initial code execution via an application is similar to other campaigns, including one targeting Apple and Android smartphones in Italy and Kazakhstan, which has been linked to Italian company RCS Lab.
Google is aware of half a dozen other Samsung vulnerabilities with 2021 CVE identifiers that have been exploited in attacks, but details have yet to be disclosed.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added the three Samsung vulnerabilities to its known exploited vulnerabilities catalog, instructing government agencies to patch them until November 29.
Project Zero pointed out that Samsung’s advisories still do not mention in-the-wild exploitation of these vulnerabilities, but the vendor has allegedly promised that in the future it will warn customers when malicious exploitation is detected.