Google researchers dissect Android spyware, zero days

Google's Threat Analysis Group provided new insight into the various tricks used by surveillance vendors to spread Android spyware.

Speaking at the 2022 Black Hat conference Wednesday, the Google researchers detailed a pair of chained exploit attacks that have, until recently, allowed the makers of surveillance malware to covertly install their spyware on the devices of unwitting targets.

The Threat Analysis Group (TAG) researchers said that, while most reports only focus on one or two surveillance software vendors, such as NSO Group, the ecosystem for covert spyware tools is, in fact, far larger than many realize. TAG said that its team alone tracks and catalogs more than 30 different vendors.

In addition to making use of their own zero-day exploits and techniques, the researchers said that some of the vendors have also begun collaborating with one another to make their attacks even more effective.

"This is a very frightening industry with a lot of groups involved," said Christian Resell, security engineer with TAG. "Some of these groups are actually sharing or selling exploits amongst one another. There is a lot of cooperation going on here."

The TAG researchers noted that, with many of the attacks, multiple exploits are chained together and start from having little more contact with the target than the ability to send a single-use hyperlink or one-time URL.

In one demonstration, the TAG team showed how one surveillance malware attack had chained together CVE-2021-38003 and CVE-2021-1048 to allow an attack site to escape Chrome's sandbox and then get into the Android Libc component.

"You get code execution for every process that uses Libc, which is everything," Resell explained.

Once the attacker has code execution, they launch a remote shell and install common data harvesting malware to collect things like social media interactions and text messages.

While the flaws have since been patched, attackers are still able to take advantage of devices whose owners have fallen behind on their patching. Many of the surveillance vendors fingerprint target devices and then select specific exploits based on system software and version of the devices.

Other attacks are more technical and tricky to pull off. Google security engineer Xingyu Jin showed how one surveillance vendor known as Wintego was able to take advantage of use-after-free Linux vulnerability, CVE-2021-0920, to install Android spyware.

Disclosed by Google in November of last year, CVE-2021-0920 describes a vulnerability in the way the Linux kernel handles file descriptors by way of a garbage collection component. By specifically targeting the way file descriptors are sent to and from the kernel, an attacker could potentially inject code.

The end result is a race condition that, while difficult to exploit reliably, carries the massive payoff of letting the attacker escape all of Google's sandbox protections and execute code with full privileges.

In an accompanying blog post Wednesday, Jin explained how CVE-2021-0920 was particularly dangerous because it lingered for several years after first being discovered and reported by a Red Hat developer. And, unfortunately, the vulnerability report was contained in a public email exchange.

"The bug was spotted in 2016 publicly, but unfortunately, the Linux kernel community did not accept the patch at that time," Jin wrote. "Any threat actors who saw the public email thread may have a chance to develop an LPE [local privilege escalation] exploit against the Linux kernel."

Whether known exploits or cutting-edge zero days, the TAG researchers said the result is the same across many of these attacks: full control over the target device, which enables the surveillance vendors to pitch customers on the ability to covertly spy on their targets without triggering any security notifications or alerts.