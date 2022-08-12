



Google’s Threat Analysis Group has provided new insight into the various tactics surveillance vendors use to spread Android spyware.

Speaking at the 2022 Black Hat conference on Wednesday, Google researchers said that until recently, a series of exploit attacks had allowed surveillance malware authors to covertly install spyware on target devices without even realizing it. described in detail the pair of

While most reports only focus on one or two surveillance software vendors, such as the NSO Group, according to Threat Analysis Group (TAG) researchers, the reality is that the ecosystem of covert spyware tools is It’s much bigger than most people realize. TAG said that with that team alone he tracks and catalogs more than 30 different vendors.

In addition to leveraging proprietary zero-day exploits and techniques, some vendors have begun collaborating with each other to make their attacks even more effective, researchers say.

TAG Security Engineer Christian Resell said: “Some of these groups actually share or sell exploits to each other. There is a lot of collaboration going on here.”

TAG researchers note that many attacks have multiple exploits chained together, starting with little more contact with the target than the ability to send a one-time hyperlink or one-time URL. Did.

In one demonstration, the TAG team found that a single surveillance malware attack chained together CVE-2021-38003 and CVE-2021-1048, allowing the attack site to bypass Chrome’s sandbox and compromise Android Libc components. to indicate that the

“Every process that uses Libc runs code. That’s all there is to it,” Resell explains.

Once the attacker executes the code, it launches a remote shell and installs popular data-gathering malware to collect social media interactions, text messages, and more.

Although the flaw has been patched, attackers can still exploit devices whose owners have been slow to patch. Many surveillance vendors fingerprint target devices and select specific exploits based on system software and device versions.

Other attacks are more technical and difficult to execute. Xingyu Jin, a security engineer at Google, showed how a surveillance vendor known as Wintego took advantage of his use-after-free Linux vulnerability CVE-2021-0920 to install Android spyware. .

CVE-2021-0920, published by Google last November, describes a vulnerability in the way the Linux kernel handles file descriptors via its garbage collection component. By specifically targeting the way file descriptors are sent to and received from the kernel, an attacker could potentially inject code.

The net result is a race condition that is difficult to exploit reliably, but with huge benefits that allow attackers to bypass all Google’s sandbox protections and execute code with full privileges. brought.

In an accompanying blog post on Wednesday, Jin explained that CVE-2021-0920 is particularly dangerous because it has lingered for several years since it was first discovered and reported by Red Hat developers. Unfortunately, the vulnerability report was included in a public email exchange.

“This bug was publicly discovered in 2016, but unfortunately the Linux kernel community did not accept the patch at that time,” Jin wrote. “An attacker who sees the published email thread may develop an LPE. [local privilege escalation] Exploit the Linux kernel. ”

Whether it’s a known exploit or a cutting-edge zero-day, TAG researchers say the results are the same for many of these attacks. That means the target has complete control over her device, allowing surveillance vendors to sell their customers on their ability to covertly spy on them. Trigger security notifications or alerts.

