 "Surveillance vendor targeted Samsung smartphones with zero-day bugs: Google")
Google has warned that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities in new Samsung smartphones that could have been exploited to steal users' data.
All three vulnerabilities were in the manufacturer's custom components rather than in the Android Open Source Project (AOSP) platform or the Linux kernel.
"It's also interesting to note that 2 out of the 3 vulnerabilities were logic and design vulnerabilities rather than memory safety," said Maddie Stone, Project Zero.
"While we understand that Samsung has yet to annotate any vulnerabilities as in-the-wild, going forward, Samsung has committed to publicly sharing when vulnerabilities may be under limited, targeted exploitation, as part of their release notes," Stone added in a blog post.
"We hope that, like Samsung, others will join their industry peers in disclosing when there is evidence to suggest that a vulnerability is being exploited in-the-wild in one of their products".
The Google Threat Analysis Group (TAG) obtained a partial exploit chain for Samsung devices that it believes belonged to a commercial surveillance vendor.
"All 3 vulnerabilities are within Samsung custom components, including a vulnerability in a Java component," said the team.
The exploit sample targeted Samsung phones running kernel 4.14.113 with the Exynos SOC.
"Samsung phones run one of two types of SOCs depending on where they're sold. For example the Samsung phones sold in the United States, China, and a few other countries use a Qualcomm SOC and phones sold in most other places (example Europe and Africa) run an Exynos SOC," said the Google team.
Examples of Samsung phones that were running kernel 4.14.113 in late 2020 (when this sample was found) include the S10, A50, and A51 smartphones, the team added.
"The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices. It highlights a need for more research into manufacturer specific components," said Google.
--IANS
na/ksk/
(Only the headline and picture of this report may have been reworked by the Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)
You’ve reached your limit of {{free_limit}} free articles this month.
Subscribe now for unlimited access.
Already subscribed? Log in
Subscribe to read the full story →
Smart Quarterly
₹900
3 Months
₹300/Month
Smart Essential
₹2,700
1 Year
₹225/Month
Super Saver
₹3,900
2 Years
₹162/Month
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app