Vulnerability in Samsung Android driver under attack
Drivers for Samsung's mobile processors allow attackers to extend their rights. Google warns of ongoing attacks on this.
Security vulnerabilities threaten Android smartphones.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Google's TAG team has discovered a security vulnerability in Android drivers for Samsung's mobile processors that has been abused in the wild. Samsung is closing it with the security updates for smartphones in October.
In their analysis, Google's IT security researchers write that there is a use-after-free vulnerability in the Samsung driver "m2m1shot_scaler0", which attackers have already exploited. The driver is used for hardware-accelerated multimedia functions such as JPEG decoding and image resizing. In a use-after-free vulnerability, the program code incorrectly accesses resources that have already been released and whose contents are therefore undefined. This can often be misused to execute malicious code that has been smuggled in.
No details about the attacks
Google's analysis does not reveal the nature of the attacks or who carried them out on whom. However, the exploit of the vulnerability is part of a chain of system privilege escalation. Malicious actors end up executing arbitrary code in a highly privileged "cameraserver" process. The exploit has also renamed the process to "vendor.samsung.hardware.camera.provider@3.0-service", presumably to make forensic analysis more difficult.
Videos by heise
The IT forensics experts discuss in detail how the exploit maps memory pages from user space into I/O memory pages, issues a firmware command and finally "tears down" the mapped I/O memory pages to reach code in physical memory. However, Google's employees do not discuss what the attacks on smartphones actually look like, whether they are carried out with manipulated websites, prepared media streams or even malicious apps. However, they do write that the Galaxy S10, for example, is vulnerable to the exploit.
Samsung received information about the vulnerability with the CVE entry CVE-2024-44068 on July 19 of this year, according to its own announcement. According to this, the Samsung mobile processors Exynos 9820, 9825, 980, 990, 850 and W920 are affected. In October, Samsung closed the security gap with the Security Maintenance Release (SMR). Anyone who has already installed the Samsung October updates on their smartphone is therefore protected against the attacks. These are now available for numerous smartphone models –, including the Galaxy S10 – model under investigation. However, the update paralyzed numerous phones – Cynics could also see this as a solution to the problem. For the affected Samsung Smartwatches 4 and 5 with the Exynos W920 processor, however, no error correction is yet available.
Anyone using Samsung smartphones should check whether a firmware update is available and install it quickly.
(dmk)
