Samsung phone users under attack, Google warns

A nasty bug in Samsung's mobile chips is being exploited by miscreants as part of an exploit chain to escalate privileges and then remotely execute arbitrary code, according to Google security researchers.

The use-after-free vulnerability is tracked as CVE-2024-44068, and it affects Samsung Exynos mobile processors versions 9820, 9825, 980, 990, 850, and W920. It received an 8.1 out of 10 CVSS severity rating, and Samsung, in its very brief security advisory, describes it as a high-severity flaw. The vendor patched the hole on October 7.

While the advisory doesn't make any mention of attackers abusing the vulnerability, according to Googlers Xingyu Jin and Clement Lecigene, someone(s) has already chained the flaw with other CVEs (those aren't listed) as part of an attack to execute code on people's phones.

The bug exists in the memory management and how the device driver sets up the page mapping, according to Lecigene, a member of Google's Threat Analysis Group, and Jin, a Google Devices and Services Security researcher who is credited with spotting the flaw and reporting it to Samsung.

"This 0-day exploit is part of an EoP chain," the duo said. "The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name itself to 'vendor.samsung.hardware.camera.provider@3.0-service,' probably for anti-forensic purposes."

• Google splats device-hijacking exploited-in-the-wild Android kernel bug among others
• What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits
• The spyware business is booming despite government crackdowns
• Millions of Android and iOS users at risk from hardcoded creds in popular apps

The Register reached out to Samsung for more information about the flaw and in-the-wild exploits, but did not immediately receive a response. A spokesperson later told us via email, "Samsung is committed to providing the highest level of security for our users. We are aware of the potential security vulnerability mentioned.

"To address this, Samsung has begun rolling out security patches as part of our monthly security maintenance release. We strongly recommend that users keep their devices up-to-date with the latest software updates."

It's worth noting that Google TAG keeps a close eye on spyware and nation-state gangs abusing zero-days for espionage purposes. 

Considering that both of these threats frequently attack mobile devices to keep tabs on specific targets — Google tracked [PDF] 61 zero-days in the wild that specifically targeted end-user platforms and products in 2023 - we wouldn't be too surprised to hear that the exploit chain including CVE-2024-44068 ultimately deploys some snooping malware on people's phones. ®

Editor's note: This story was amended post-publication with comment from Samsung.