Google Claims Samsung Phones Were Targeted in Surveillance by a Vendor

Google declined to identify the vendor of commercial surveillance but stated that the exploitation is similar to recent malware-infected Android devices.

Security researchers discovered Hermit earlier this year. This Android spyware was developed by RCS Lab. It is used in targeted attacks by governments. There are known victims in Italy, Kazakhstan, and other countries. Hermit works by tricking the target to download and install the malicious app (such as a disguised mobile carrier assistance app) from outside the app store. Then, silently, the victim’s contact information, audio recordings, photos and location data are stolen. Google began notifying Android users whose devices were compromised by Hermit. Connexxa, a surveillance vendor, also used maliciously sideloaded apps in order to target both iPhone and Android owners.

In late 2020, Google reported the three vulnerabilities on Samsung.

Samsung released patches in March 2021 for affected phones but didn’t disclose that the vulnerabilities were being actively exploited at the time. Stone stated that Samsung now discloses when vulnerabilities are being actively exploited. This follows Apple as well as Google which, according to security updates, also disclose when vulnerabilities are under attack.

Stone said, “The analysis on this exploit chain gave us new and important insight into how attackers target Android devices,” adding that additional research could uncover new vulnerabilities in custom-made software by Android device manufacturers like Samsung.

It highlights the need to do more research on manufacturer-specific components. Stone said that it shows us where we should do more variant analysis.