Google’s Threat Analysis Group revealed new details today about its efforts to identify and help patch a zero-day exploit impacting Android devices built by a commercial surveillance vendor and dating back to at least 2016. The research, presented at the Black Hat cybersecurity conference in Las Vegas, represents the latest attempt by Google to step up its efforts against a growing private surveillance industry that’s thriving, according to the researchers.
The vulnerability in question, referred to as CVE-2021-0920, was a zero-day “in the wild” exploit in a garbage collection mechanism within the Linux kernel, the core piece of software that governs the entire Linux operating system. Google says the attackers, using an exploit chain that included the vulnerability, were able to remotely gain controls of users’ devices.
Google says it has previously attributed a number of Android zero-day exploits to the developer behind CVE-2021-0920. In this case, a Google spokesperson told Gizmodo the surveillance vendor used “several novel and unseen exploitation techniques to bypass existing defensive mitigations.” That, the spokesperson said, suggests the vendor is well funded.
Though the CVE-2021-0920 vulnerability was patched last September in response to Google’s research, they say the exploit was identified before 2016 and reported on the Linux Kernel Mailing List. A proper patch was offered up at the time, but Linux Foundation developers ultimately rejected it. Google shared the public Linux kernel email thread from the time which shows disagreement on whether or not to implement the patch.
“Why would I apply a patch that’s an RFC, doesn’t have a proper commit message, lacks a proper signoff, and also lacks ACK’s and feedback from other knowledgable developers,” one developer wrote.
Google has ramped up its efforts to spot and publicly identify spyware groups in recent years, partly in response to the sheer increase in the number attacks. In testimony delivered to the House Intelligence Committee earlier this year, Google Threat Analysis Group Director Shane Huntley said, “the growth of commercial spyware vendors and hack-for-hire groups has necessitated growth in TAG [threat analyses groups] to counter these threats.”
Huntley said his team’s recent findings suggest advanced commercial spyware firms, like Israel-based NSO Group, have managed to acquire hacking capabilities once reserved to the world’s most advanced state-sponsored intelligence agencies. The use of those techniques, which can include zero click exploits that take over a device potentially without a user ever engaging with malicious content, appear to be increasing and are being carried out at the behest of governments, Huntley suggested. Seven of the nine zero-day exploits discovered by Huntley’s team last year were reportedly developed by commercial providers and sold to state-sponsored actors. Highly technical surveillance techniques, once available to only a select group of countries, can now simply be purchased by the highest bidder.
“These vendors are enabling the proliferation of dangerous hacking tools, arming nation state actors that would not otherwise be able to develop these capabilities in-house,” Huntley said. “While use of surveillance technologies may be legal under national or international laws, they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.”
“This industry appears to be thriving.” Huntley said.
Lucas Ropek contributed reporting.