Google security researchers stumbled upon a vulnerability that was previously reported in 2016 without being fixed. A few years later, she found herself in a spyware publisher’s arsenal to hack Android smartphones.
Zero-day fault hunting is not a long, calm river. Sometimes there are things that get lost in the meanders. The latest example has just been provided by Google’s security researchers. At the Black Hat 2022 conference, they unveiled a number of zero-day flaws used by surveillance software vendors to hack Android devices.
One such flaw (CVE-2021-0920) is particularly noteworthy because it was part of a very sophisticated chain of vulnerabilities that allowed remote control of the terminal with administrator privileges. This flaw was in the “kernel garbage collection” module and was corrected in September 2021. But quasi-archaeological research has shown that it has been known since at least 2016.
A missed opportunity
As Gizmodo reports, Google was able to find exchanges on this topic in the Linux kernel mailing list. A patch was even proposed, but it was turned down due to lack of general agreement on the matter. One of the Linux kernel developers wrote: “Why should I apply a patch that is just an RFC [Request For Comment, un document qui décrit une technologie en vue d’une adoption future, ndlr]that doesn’t have a decent commit message, lacks a real signature, and doesn’t have commits or feedback from known developers?
After that, everyone forgot about it, except one spyware publisher who integrated it didn’t see or know it in their product. It was only when the resulting attacks were analyzed by Google researchers that this flaw returned to the surface and was finally closed. A rather torturous process that leaves the pirates too much leeway.
Thirty actors followed in the panties
In Google, the risk of these publishers has become important. “Previously, we had to focus only on threats like those from China, Russia or of North Korea. Now our Threat Analysis Group (TAG) has a dedicated team of vendors and traders (…) TAG actively tracks over 30 vendors with varying levels of sophistication and public exposure, selling exploits or surveillance capabilities to actors States “Shane Huntley, director of TAG, said a few weeks ago in the United States House of Representatives. And this monitoring is all the more difficult as the techniques used by these actors are of a high level, comparable to those used by the States.