21:47
13:01
12:55
21:19
10:55
10:54
21:47
13:01
12:55
21:19
10:55
10:54
21:47
13:01
12:55
21:19
10:55
10:54
21:47
13:01
12:55
21:19
10:55
10:54
Google has discovered three zero-day security vulnerabilities found in Samsung smartphones used by a commercial surveillance vendor.
A chain of vulnerabilities allowing an attacker to gain kernel read and write privileges as root user and ultimately expose device data were discovered in Samsung's software.
Google Project Zero security researcher Maddie Stone said the vulnerability affects Samsung phones with an Exynos chip running a specific kernel version. Stone added that Samsung phones with the affected kernel at the time included the S10, A50 and A51.
The flaws have now been fixed. They were exploited by a malicious Android app, which the user could fraudulently install from outside the app shop.
The first vulnerability in this chain, the arbitrary file read and write, was the foundation of this chain, used four different times and used at least once in each step,
wrote Stone.
Google did not name a commercial surveillance vendor, but said the exploitation follows a pattern similar to recent device infections in which malicious Android apps were used to deliver powerful government spyware.