After reporting two new vulnerabilities within Apple’s ecosystem, Google Project Zero announced three more for Samsung smartphones. The researchers at the project have tracked the vulnerabilities as CVE-2021-25337, CVE-2021-25369, and CVE-2021-25370. These bugs directly exploit Android smartphones and specifically target the custom Samsung components.
Since these are believed to be arbitrary file read/write issues via the clipboard content provider, the threat actor can perform various things, including accessing files, folders, images, videos, and other files available on the target smartphones. According to sources, these are considered to be actively exploited since they are believed to be zero-day vulnerabilities.
Google Project Zero reveals three new Samsung vulnerabilities
According to the reports shared by Google, rather than being the AOSP platform or the Linux kernel, all three vulnerabilities in this chain were in the manufacturer’s bespoke components. Another thing to notice within the vulnerability was mainly based on logic and design flaws rather than memory safety flaws.
However, despite finding and reporting the vulnerability, the researchers did not discover the exploit delivery application or the attacker’s payload. These payloads are capable of gaining read and write access to the kernel. But, the threat actors and several individuals had exploited the flaw to upload a malicious file to the target devices.
Google also reported the vulnerabilities to Samsung in late 2020. The South Korean tech giant released the security patches in March 2021 to fix the exploitable vulnerabilities running on its popular models. Google’s Threat Analysis Group believes that a private for-profit spying firm could have created the exploit, and the technique used in the exploit is the same as the ones used in previous hacking campaigns, such as Apple and Android handsets in Italy and Kazakhstan.
The three vulnerabilities detected by Google are as follows:
- CVE-2021-25370 – Before SMR Mar-2021 Release 1, the dpu driver mishandled file descriptors, which caused memory corruption and kernel panic.
- CVE-2021-25369 – Before SMR Mar-2021 Release 1, the dpu driver mishandled file descriptors, which caused memory corruption and kernel panic.
- CVE-2021-25337 – Untrusted apps can read or write to some local files on Samsung mobile devices before SMR Mar-2021 Release 1 due to improper access control in the clipboard service.
