Some Samsung smartphones reportedly had a very serious vulnerability in their processors, allowing threat actors to escalate their privileges and potentially plant malware on the devices.
Cybersecurity researchers from Google’s Threat Analysis Group (TAG) found the flaw and reported it to Samsung, which fixed the vulnerability on October 7 with a patch and a follow-up security advisory.
In the advisorythe flaw was described as a use-after-free vulnerability, tracked as CVE-2024-44068, with a severity score of 8.1 (high severity), found in Samsung Exynos mobile processors versions 9820, 9825, 980, 990, 850 and W920.
Vulnerability chain
Samsung phones powered by these chips include parts of the S10 series, Note 10 and 10+, the S20 series, as well as the Samsung Galaxy A51 5G and Samsung Galaxy A71 5G. The Exynos W920 is mainly used in wearable devices such as Samsung’s Galaxy Watch series.
TAG researchers suggested that the vulnerability is being exploited in the wild, as part of a larger chain that also uses other bugs.
“This 0-day exploit is part of an EoP chain,” TAG said in its technical article. “The actor could execute arbitrary code in a privileged camera server process. The exploit also renamed the process name itself to ‘vendor.samsung.hardware.camera.provider@3.0-service’, likely for anti-forensic purposes.” No mention was made of other vulnerabilities exploited as part of the chain.
Google researchers have not discussed the identities of the miscreants who exploited this flaw. However, it’s worth mentioning that TAG typically tracks nation-states and state-sponsored threat actors, so it’s safe to assume that this bug has also been exploited by a similar team.
Nation states typically engage in cyber espionage and identity theft, so it is possible that whoever exploited this flaw attempted to plant an infostealer or a tracker on a Samsung device.
