Google Security Researchers Warn a Samsung Zero-Day Exploit Exists in the Wild

• A use-after-free bug could be exploited on a vulnerable Samsung Android device.
• Attackers could abuse the flaw in the m2m scaler driver of some Samsung processors to escalate privileges.
• The tech giant did not address this vulnerability thoroughly, but Google security researchers warned it is exploited in the wild.

Google's Threat Analysis Group (TAG) has raised alarms over a zero-day vulnerability in Samsung's mobile processors, which has been actively exploited in the wild. This security gap enables privilege escalation on vulnerable Android devices, posing a severe threat to affected users.

The vulnerability tracked as CVE-2024-44068 and carrying a CVSS score of 8.1 resides as a use-after-free bug within the m2m scaler driver present in Samsung's Exynos 9820, 9825, 980, 990, 850, and W920 processors. 

Despite Samsung's October 2024 security updates addressing this issue, their advisory remains sparse, particularly concerning the active exploitation of this vulnerability. However, Google researcher Xingyu Jin, who initially reported the flaw, and Google TAG researcher Clement Lecigene have confirmed that the exploit is present in the wild.

The crux of the vulnerability lies in the mishandling of page reference counts during the mapping of userspace pages to I/O pages, crucial for media function hardware acceleration. Attackers can exploit this bug to execute arbitrary code within a privileged camera server process, significantly undermining device security.

The exploit chain reportedly includes a Kernel Space Mirroring Attack (KSMA), bypassing Android kernel isolation protections, while the process name obfuscation hints at potential anti-forensic tactics by the attackers.

“This zero-day exploit is part of an EoP chain. The actor is able to execute arbitrary code in a privileged camera server process. The exploit also renamed the process name itself to ‘[email protected]’, probably for anti-forensic purposes,” the two security researchers pointed out.

While comprehensive details on the specific attacks remain undisclosed, it's notable that Google TAG frequently uncovers zero-days linked to spyware vendors targeting Samsung devices.

This month, Samsung and LG’s Automatic Content Recognition (ACR) surveillance technology used in smart TVs, which is a tracking tool embedded within the TV's operating system, raised privacy concerns.