Update: Samsung has reached out with a statement regarding this issue:
“Samsung takes the security of its products very seriously. We have already taken necessary steps to prevent these potential exploit chains by issuing patches for the Samsung Internet app in December 2022. December’s updates to the Samsung Internet app disable entry points for the remaining vulnerabilities and ensure devices are protected.
We are actively collaborating with our partners to release patches for the remaining vulnerabilities as early as possible, starting April, and recommend all users keep their devices updated with the latest software to ensure the highest level of protection possible.”
Google’s Threat Analysis Group (TAG) has revealed that Samsung has kept a major zero-day security vulnerability in Galaxy devices unpatched for over a year. The flaw exists in ARM’s Mali GPU found in Samsung’s Exynos processors powering millions of Galaxy devices globally. ARM released a patch for in the issue January 2022 but the Korean firm hasn’t included it in its security releases yet.
The said issue, identified by the Common Vulnerabilities and Exposures (CVE) number CVE-2022-22706, is a vulnerability in the Mali GPU Kernel Driver. Discovered by security researchers at Google’s Project Zero team, the flaw was made public in November last year along with many other critical zero-day vulnerabilities affecting millions of Android smartphones globally. Since ARM released the patch in January confirming its exploitation in the wild, phone makers had around eight months to implement the fix downstream.
At the time of disclosure, Project Zero’s Ian Beer said that devices from Samsung, Google, Oppo, Xiaomi, and more brands are at risk. After all, the vulnerability existed in pretty much every Android device featuring a Mali GPU. In a fresh update Wednesday, the TAG revealed that Samsung hasn’t pushed a fix for this vulnerability yet. That’s despite reports of threat actors exploiting the flaw to trick unsuspecting users into clicking on malicious links in the Samsung Internet browser on Galaxy devices.
Samsung has kept a major Mali GPU security flaw unpatched since January 2022
According to the TAG, this exploit chain was discovered in December last year. It could deliver “a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications”. With Samsung leaving the vulnerability unpatched, threat actors used Samsung Internet to trick Galaxy users. “This vulnerability grants the attacker system access,” Clement Lecigne of the TAG explained. They added that version 19.0.6 or newer of the browser app is safe from this exploit.
However, the flaw remains unpatched at the system level. That essentially means that threat actors could come up with new exploits to gain system access to millions of Galaxy devices. Except for the Galaxy S22 series, every other Exynos-powered Galaxy model is vulnerable. The Exynos 2200 chipset that powered the Galaxy S22 series last year features AMD’s RDNA 2-based Xclipse 920 GPU. This is a massive oversight from Samsung. Hopefully, the company will roll out a patch for this vulnerability sooner than later. We will let you know if it releases any official statement on this matter.
2023-03-30 15:05:47