Google reports details of 'government-backed attacks' targeting Samsung smartphones

Google's threat analysis team, Threat Analysis Group (TAG), has reported details of three types of attacks targeting Android smartphones. All three types of attacks were carried out targeting Samsung smartphones. The Citizen Lab, a private security company that conducted a similar investigation, also reported that the targets of the attack included Egyptian politician Ayman Nour , who was in exile in Turkey.

Protecting Android users from 0-Day attacks
https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/

Pegasus vs. Predator: Dissident's Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware --The Citizen Lab
https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/

All three types of attacks reported by TAG were carried out by the method of 'sending'URL imitating the URL generated by the shortened URL service'by e-mail'. These attacks have been carried out targeting a limited number of dozens of people, and attacks targeting Armenia, Indonesia, Egypt, Greece, Cote d'Ivoire, Spain, Serbia, and Madagascar have been confirmed. 'We are confident that the attack was backed by government agencies,' TAG said.

All three types of attacks were to put spyware 'Alien' on Android smartphones. This 'Alien' includes functions such as recording voice, hiding apps, and issuing electronic certificates, and was responsible for loading spyware 'Predator'. When Google detected an attack, it allegedly sent a ' government-backed attack alert' to the targeted user.

TAG claims that the developer of Predator is the spyware developer 'Cytrox'. The Citizen Lab, which reported similar findings to TAG, also emphasized the involvement of Cytrox in the attack and has published a photo of Cytrox CEO Ivo Malinkovksi. The Citizen Lab also reports that the attacks included Egyptian opposition politician Ayman Nour and exiled Egyptian journalists.

Chrome vulnerabilities 'CVE-2021-37973' 'CVE-2021-37976' 'CVE-2021-38000' 'CVE-2021-38003' and Android vulnerabilities 'CVE-2021-1048' An exploit was used to exploit. The outline of the three types of attacks is as follows.

Attack 1: Executed on Samsung Galaxy S21 in August 2021. An attack was launched on Chrome by exploiting the Chrome vulnerability 'CVE-2021-38000', and an arbitrary URL was loaded into a Samsung browser without the user's permission. Exploits that exploited 'CVE-2021-38000' were sold by brokers and exploited by multiple attackers.

Attack 2: Performed in September 2021 targeting the latest version of Chrome running on the Samsung Galaxy S10. The attack was carried out by evading the Chrome sandbox. As a result of the investigation, the vulnerabilities ' CVE-2021-37973 ' and ' CVE-2021-37976 ' were discovered.

Attack 3: Executed in October 2021 targeting Samsung Android smartphones. The Chrome vulnerability 'CVE-2021-38003' and the Android vulnerability 'CVE-2021-1048' have been exploited. Although 'CVE-2021-1048' was fixed in Linux in September 2020, many Android vendors postponed the fix because it was not flagged as a security issue.

TAG states that there are many cases where 'vulnerabilities that are delayed in fixing' are targeted by attackers, such as Attack 3. 'We are tracking more than 30 vendors offering exploits to government-sponsored attackers,' he said at the end of the report.