Google has revealed that a serious One UI threat has exposed data on some Samsung phones. The company’s Project Zero team revealed details of three Samsung phone zero-day security vulnerabilities that are exploited by a spyware vendor.
The vulnerability found in the One UI software was used as part of a series of exploits targeting Samsung phones running Android. These chained exposures allow attackers to obtain the kernel source code of Galaxy smartphones and ultimately expose their data.
Google’s Project Zero security team further explained that the hackers targeted Samsung phones with Exynos chips running specific kernel versions. For the most part, Galaxy phones with Exynos chips are sold in Europe, the Middle East, and Africa, which are potential surveillance targets.
The US tech giant also revealed the names of Samsung phones whose kernels are currently affected and whose data may have been exposed. These devices include the Galaxy S10, Galaxy A50, and Galaxy A51.
According to sources, the matter has been resolved. The vulnerabilities were exploited by an Android app that tricked some users into installing them without using the Google App Store.
As mentioned, malicious apps allow attackers to break out of the app’s sandbox, which is designed to protect access to devise activity and the operating system.
The first vulnerability in this chain (CVE-2021-25337) is the arbitrary file read and write, which was the foundation of this chain, used four different times, and used at least once in each step.
The second vulnerability (CVE-2021-25369) used by the chain is an information leak to leak the address of the task_struct and sys_call_table. Meanwhile, the final vulnerability in the chain (CVE-2021-25370) is a use-after-free of a file struct in the Display and Enhancement Controller (DECON) Samsung driver for the Display Processing Unit (DPU).
Additionally, Google reported the vulnerabilities to Samsung when it received exploit samples in late 2020. Given that the South Korean company released the patch in March 2021.
Project Zero also noted that Samsung’s bulletin still doesn’t mention the brutal exploitation of these vulnerabilities, but has promised to alert customers if malicious exploits are detected in the future.