Update: Republished on April 10 with confirmation that cyber attacks are now targeting Android phones with sophisticated new spyware.
We live in interesting times. For the third month running, Google has confirmed the bad news that Android phones are under attack, as another routine monthly security release turns into an emergency update now warning. There is one critical difference this time though, with major implications for both Pixel and Samsung.
“There are indications,” Google warns, that CVE-2024-53150 and CVE-2024-53197 “may be under limited, targeted exploitation.” The first is a memory vulnerability within Android’s kernel, leaving a device exposed to local data exfiltration. If that brings forensic exploits to mind, then the second vulnerability hammers it home. This is another of the flaws known to have been exploited by Cellebrite in Europe.
While Android zero-days may now be the norm, what isn’t the norm is Samsung matching Pixel’s pace in rushing out these updates. Last month, the Galaxy-maker missed one of Android’s exploited fixes yet again. But CVE-2024-50302 from March is included in Samsung’s April update, a month behind Pixel. Much more notably, both of Android’s April fixes are also included in Samsung’s April release. That’s a big deal.
According to Android hardener GrapheneOS, these “2 more vulnerabilities marked as being exploited in the wild [are]
both vulnerabilities for locked devices,” which its software “made both far harder to exploit while unlocked.” It says both vulnerabilities “were being exploited by Cellebrite for data extraction from locked Android devices.”
With perfect timing, the need to ensure Android (and iPhone) phones are always updated when new security fixes are released has been reinforced by a raft of government intel agencies. “In new advisories,” the cyber wing of the U.K. spy agency warned “the National Cyber Security Centre (NCSC) – a part of GCHQ – and agencies in Australia, Canada, Germany, New Zealand and the United States have revealed details about how malicious cyber actors are using two forms of spyware to target individuals.”
The latest attacks have been attributed to Chinese state affiliated actors, targeting “Uyghur, Tibetan and Taiwanese communities as well as civil society groups… The malicious software – dubbed MOONSHINE and BADBAZAAR – hide malicious functions inside otherwise legitimate apps in a technique known as ‘trojanising’.”
These trojans hijack a device, accessing microphones, cameras, on device data including messaging and photos, as well as deploying real-time tracking. These kinds of vulnerabilities are being exploited by forensic firms, cybercriminals and state actors. There’s a constant game of cat and mouse with Google, Samsung and other OEMs — as well as Apple — to stay ahead, or rather not too far behind.
But Samsung has been falling behind in security updates just as the Android world obsesses about its delays on Android OS upgrades as well. With notable timing, these security updates turned up the same day Samsung finally started to roll out its stable One UI 7 / Android 15 upgrade to its 2024 and 2023 flagships.
Yet again this month we have seen forensic exploits patched by one of Android or iPhone, with both global operating systems clearly vulnerable to the deep pockets of an industry primed to break device security. Samsung’s One UI 7 incudes new protections against these forensic exploits and Android 16 looks like it will match iPhone’s non-activity reboot, making such exploits harder. Interesting times indeed.