Original topic:

Severe One UI threat exposed some Samsung phones data

(Topic created on: 11-13-2022 01:54 AM)
Expert Level 5
Tech Talk


Google has disclosed that a severe One UI threat has exposed data of some Samsung phones. The company’s Project Zero team revealed details of three Samsung phone zero-day security vulnerabilities that are exploited by a spyware vendor.

The vulnerabilities that were found in One UI software were used as part of an exploit series to target Samsung phones running Android. These chained exposures allow an attacker to gain kernel source codes of Galaxy smartphones and eventually expose their data.

The Google Project Zero security team further says that the hacker targets Samsung phones that feature an Exynos chip running a specific kernel version. Mostly, Galaxy phones with Exynos chips are available across Europe, the Middle East, and Africa, which are likely surveillance targets.

The US tech giant also revealed the names of Samsung phones whose kernel is currently affected and whose data may be exposed. These devices include Galaxy S10Galaxy A50, and Galaxy A51.

According to the information, the issues are already fixed. The vulnerabilities were exploited by an Android application that tricked some users into installing them without using the Google App Store.

The first vulnerability in this chain (CVE-2021-25337) is the arbitrary file read and write, which was the foundation of this chain, used four different times, and used at least once in each step.

The second vulnerability (CVE-2021-25369) used by the chain is an information leak to leak the address of the task_struct and sys_call_table. Meanwhile, the final vulnerability in the chain (CVE-2021-25370) is a use-after-free of a file struct in the Display and Enhancement Controller (DECON) Samsung driver for the Display Processing Unit (DPU).

Furthermore, Google reported these vulnerabilities to Samsung in late 2020, when it received samples of the exploit. Whereas, the Korean company released the patch in March 2021.

Project Zero also reported that Samsung’s advisory still doesn’t mention wild exploits of these vulnerabilities, but it has promised to alert customers if malicious exploits are detected in the future.