Zebeth Media Solutions

mobile spyware

Google says surveillance vendor targeted Samsung phones with zero-days • ZebethMedia

Google says it has evidence that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities found in newer Samsung smartphones. The vulnerabilities, discovered in Samsung’s custom-built software, were used together as part of an exploit chain to target Samsung phones running Android. The chained vulnerabilities allow an attacker to gain kernel read and write privileges as the root user, and ultimately expose a device’s data. Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain targets Samsung phones with a Exynos chip running a specific kernel version. Samsung phones are sold with Exynos chips primarily across Europe, the Middle East, and Africa, which is likely where the targets of the surveillance are located. Stone said Samsung phones running the affected kernel at the time include the S10, A50, and A51. The flaws, since patched, were exploited by a malicious Android app, which the user may have been tricked into installing from outside of the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity, and access the rest of the device’s operating system. Only a component of the exploit app was obtained, Stone said, so it isn’t known what the final payload was, even if the three vulnerabilities paved the way for its eventual delivery. “The first vulnerability in this chain, the arbitrary file read and write, was the foundation of this chain, used four different times and used at least once in each step,” wrote Stone. “The Java components in Android devices don’t tend to be the most popular targets for security researchers despite it running at such a privileged level,” said Stone. Google declined to name the commercial surveillance vendor, but said the exploitation follows a pattern similar to recent device infections where malicious Android apps were abused to deliver powerful nation-state spyware. Earlier this year security researchers discovered Hermit, an Android and iOS spyware developed by RCS Lab and used in targeted attacks by governments, with known victims in Italy and Kazakhstan. Hermit relies on tricking a target into downloading and installing the malicious app, such as a disguised cell carrier assistance app, from outside of the app store, but then silently steals a victim’s contacts, audio recordings, photos, videos, and granular location data. Google began notifying Android users whose devices have been compromised by Hermit. Surveillance vendor Connexxa also used malicious sideloaded apps to target both Android and iPhone owners. Google reported the three vulnerabilities to Samsung in late 2020, and Samsung rolled out patches to affected phones in March 2021, but did not disclose at the time that the vulnerabilities were being actively exploited. Stone said that Samsung has since committed to begin disclosing when vulnerabilities are actively exploited, following Apple and Google, which also disclose in their security updates when vulnerabilities are under attack. “The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices,” Stone added, intimating that further research could unearth new vulnerabilities in custom software built by Android device makers, like Samsung. “It highlights a need for more research into manufacturer specific components. It shows where we ought to do further variant analysis,” said Stone.

Inside TheTruthSpy, the stalkerware network spying on thousands • ZebethMedia

A massive cache of leaked data reveals the inner workings of a stalkerware operation that is spying on hundreds of thousands of people around the world, including Americans. The leaked data includes call logs, text messages, granular location data and other personal device data of unsuspecting victims whose Android phones and tablets were compromised by a fleet of near-identical stalkerware apps, including TheTruthSpy, Copy9, MxSpy and others. These Android apps are planted by someone with physical access to a person’s device and are designed to stay hidden on their home screens but will continuously and silently upload the phone’s contents without the owner’s knowledge. SPYWARE LOOKUP TOOL You can check to see if your Android phone or tablet was compromised here. Months after we published our investigation uncovering the stalkerware operation, a source provided ZebethMedia with tens of gigabytes of data dumped from the stakerware’s servers. The cache contains the stalkerware operation’s core database, which includes detailed records on every Android device that was compromised by any of the stalkerware apps in TheTruthSpy’s network since early 2019 (though some records date earlier) and what device data was stolen. Given that victims had no idea that their device data was stolen, ZebethMedia extracted every unique device identifier from the leaked database and built a lookup tool to allow anyone to check if their device was compromised by any of the stalkerware apps up to April 2022, which is when the data was dumped. ZebethMedia has since analyzed the rest of the database. Using mapping software for geospatial analysis, we plotted hundreds of thousands of location data points from the database to understand its scale. Our analysis shows TheTruthSpy’s network is enormous, with victims on every continent and in almost every country. But stalkerware like TheTruthSpy operates in a legal gray area that makes it difficult for authorities around the world to combat, despite the growing threat it poses to victims. First, a word about the data. The database is about 34 gigabytes in size and consists of metadata, such as times and dates, as well as text-based content, like call logs, text messages and location data — even names of Wi-Fi networks that a device connected to and what was copied and pasted from the phone’s clipboard, including passwords and two-factor authentication codes. The database did not contain media, images, videos or call recordings taken from victims’ devices, but instead logged information about each file, such as when a photo or video was taken, and when calls were recorded and for how long, allowing us to determine how much content was exfiltrated from victims’ devices and when. Each compromised device uploaded a varying amount of data depending on how long their devices were compromised and available network coverage. ZebethMedia examined the data spanning March 4 to April 14, 2022, or six weeks of the most recent data stored in the database at the time it was leaked. It’s possible that TheTruthSpy’s servers only retain some data, such as call logs and location data, for a few weeks, but other content, like photos and text messages, for longer. This is what we found. This map shows six weeks of cumulative location data plotted on a map of North America. The location data is extremely granular and shows victims in major cities, urban hubs and traveling on major transport lines. Image Credits: ZebethMedia The database has about 360,000 unique device identifiers, including IMEI numbers for phones and advertising IDs for tablets. This number represents how many devices were compromised by the operation to date and about how many people are affected. The database also contains the email addresses of every person who signed up to use one of the many TheTruthSpy and clone stalkerware apps with the intention of planting them on a victim’s device, or about 337,000 users. That’s because some devices may have been compromised more than once (or by another app in the stalkerware network), and some users have more than one compromised device. About 9,400 new devices were compromised during the six-week span, our analysis shows, amounting to hundreds of new devices each day. The database stored 608,966 location data points during that same six-week period. We plotted the data and created a time lapse to show the cumulative spread of known compromised devices around the world. We did this to understand how wide-scale TheTruthSpy’s operation is. The animation is zoomed out to the world level to protect individuals’ privacy, but the data is extremely granular and shows victims at transportation hubs, places of worship and other sensitive locations. By breakdown, the United States ranked first with the most location data points (278,861) of any other country during the six-week span. India had the second most location data points (77,425), Indonesia third (42,701), Argentina fourth (19,015) and the United Kingdom (12,801) fifth. Canada, Nepal, Israel, Ghana and Tanzania were also included in the top 10 countries by volume of location data. This map shows the total number of locations ranked by country. The U.S. had the most location data points at 278,861 over the six-week span, followed by India, Indonesia, and Argentina, which makes sense given their huge geographic areas and populations. Image Credits: ZebethMedia The database contained a total of 1.2 million text messages, including the recipient’s contact name, and 4.42 million call logs during the six-week span, including detailed records of who called whom, for how long, and their contact’s name and phone number. ZebethMedia has seen evidence that data was likely collected from the phones of children. These stalkerware apps also recorded the contents of thousands of calls during the six weeks, the data shows. The database contains 179,055 entries of call recording files that are stored on another TheTruthSpy server. Our analysis correlated records with the dates and times of call recordings with location data stored elsewhere in the database to determine where the calls were recorded. We focused on U.S. states that have stricter phone call recording laws, which require that more than

business and solar energy