Google researchers break down Android spyware, zero days

Google’s Threat Analysis Group has provided new information on the various tricks used by surveillance providers to spread Android spyware.

Speaking at the Black Hat 2022 conference on Wednesday, Google researchers detailed a pair of chained exploit attacks that until recently allowed surveillance malware makers to stealthily install their spyware. on unintended target devices.

Threat Analysis Group (TAG) researchers said that although most reports only focus on one or two surveillance software vendors, such as NSO Group, the ecosystem of covert spyware tools is, in fact, much larger than many realize. TAG said its team alone tracks and catalogs more than 30 different vendors.

In addition to using their own zero-day exploits and techniques, the researchers said some of the vendors have also started collaborating with each other to make their attacks even more effective.

“It’s a very scary industry with many groups involved,” said Christian Resell, security engineer at TAG. “Some of these groups share or sell exploits to each other. There’s a lot of cooperation here.”

TAG researchers noted that with many attacks, multiple exploits are chained together and begin by having little more contact with the target than the ability to send a one-time hyperlink or unique URL.

In a demonstration, the TAG team showed how a surveillance malware attack came together CVE-2021-38003 and CVE-2021-1048 to allow an attack site to escape from the Chrome sandbox and then enter the Android Libc component.

“You get code execution for every process that uses Libc, which is everything,” Resell explained.

Once the attacker executes the code, they launch a remote shell and install common data-harvesting malware to collect things like social media interactions and text messages.

Although the flaws have since been patched, attackers are still able to take advantage of devices whose owners have fallen behind in fixing them. Many surveillance solution providers detect target devices and then select specific exploits based on system software and device version.

Other attacks are more technical and difficult to perform. Google security engineer Xingyu Jin showed how a surveillance vendor known as Wintego was able to take advantage of the Linux use-after-release vulnerability, CVE-2021-0920, to install Android spyware .

Disclosed by Google in November last year, CVE-2021-0920 describes a vulnerability in the way the Linux kernel handles file descriptors through a garbage collection component. By specifically targeting how file descriptors are sent to and from the kernel, an attacker could potentially inject code.

The end result is a race condition that, while difficult to reliably exploit, has the huge advantage of allowing the attacker to escape all of Google’s sandbox protections and run code with all the privileges.

In an accompanying blog post on Wednesday, Jin explained how CVE-2021-0920 was particularly dangerous because it lingered for several years after it was first discovered and reported by a Red Hat developer. And, unfortunately, the vulnerability report was contained in a public email exchange.

“The bug was publicly spotted in 2016, but unfortunately the Linux kernel community did not accept the fix at that time,” Jin wrote. “All threat actors who have seen the public thread may have a chance to develop an LPE [local privilege escalation] exploit against the Linux kernel.”

Whether it’s known exploits or zero peak days, TAG researchers said the outcome is the same for many of these attacks: complete control over the target device, allowing vendors surveillance to entice clients to secretly spy on their targets without triggering notifications or security alerts.

Comments are closed.