Android Security Update Patches Kernel Vulnerability Exploited by Spyware Vendor – Source: www.securityweek.com

Google’s Android security updates for May 2023 patch more than 40 vulnerabilities, including a kernel flaw exploited as a zero-day by a spyware vendor. 

The latest Android updates patch vulnerabilities in the framework, system, kernel, Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components. 

A vast majority of the security holes have been assigned a ‘high severity’ rating and they can be exploited for privilege escalation, DoS attacks, and information disclosure. 

The vulnerability that was exploited as a zero-day is tracked as CVE-2023-0266 and it has been described by Google as a moderate-severity kernel flaw that can be exploited for local privilege escalation without user interaction. An entry in NIST’s National Vulnerability Database describes it as a high-severity use-after-free in the Linux kernel’s ALSA PCM package.

Exploitation of the vulnerability was first mentioned by Google in late March, when the company described several Android and iOS zero-day vulnerabilities whose exploitation had been linked to commercial spyware vendors.

In the case of CVE-2023-0266, it was used as part of an exploit chain involving several vulnerabilities, including ones impacting Chrome and the Mali GPU kernel driver. The attackers delivered the exploits as links sent to the targeted individual via SMS. The hackers actually targeted the Samsung Internet Browser, which is based on Chromium but lacks some of the important mitigations present in Chrome. 

The targets were users in the United Arab Emirates and the attackers’ goal was to deliver full-featured Android spyware to their devices. The attacks are believed to have been carried out by a customer or partner of a Spanish spyware vendor named Variston, whose activities were brought to light by the tech giant in November 2022. 

CVE-2023-0266 was also added in late March to the Known Exploited Vulnerabilities Catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). 

According to data from Google, three Android vulnerabilities that came to light this year have been exploited in attacks. 

Google this week also released a security update for its Pixel phones to patch a couple of vulnerabilities. CVE-2023-0266 was patched in Pixel devices in April. 

Related: Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation

Related: Android’s April 2023 Updates Patch Critical Remote Code Execution Vulnerabilities

Related: Google Patches Android Zero-Day Exploited in Targeted Attacks