The Serbian government exploited Qualcomm’s zero-day to unlock Android devices and infect them with new spyware called NoviSpy, which is used to spy on activists, journalists, and protesters.
One of the Qualcomm flaws associated with this attack is CVE-2024-43047. It was marked as a zero-day vulnerability that was actively exploited by Google Project Zero in October 2024, and a fix was provided in Android in November.
The spyware, which appears to have been deployed by Serbian authorities based on the content of the communications, was discovered by Amnesty International’s Security Lab on a journalist’s mobile phone returned by police.
Amnesty International’s report states: “In February 2024, Slaviša Milanov, an independent journalist from Dimitrovgrad, Serbia, reporting on news stories of local interest, was arrested after a seemingly routine traffic stop. , and was taken to the police station.”
“After Slavisha was released, he noticed that his mobile phone, which he had left at the police station reception at the request of a police officer, was behaving strangely. Data and Wi-Fi settings were turned off. “I knew this could be a sign,” Slaviša told Amnesty International, bearing in mind the risk of hacking and the surveillance threats faced by journalists in Serbia. We contacted International Security Lab and asked them to analyze the phone. ”
The researchers then provided Google’s Threat Analysis Group (TAG) with an exploit artifact that allowed them to exploit Qualcomm’s DSP (Digital Signal Processor) driver, which is used to offload multimedia processing to DSP cores. adsprpc”) flaw has been revealed.
Google is not sure which vulnerabilities NoviSpy exploits, but evidence suggests that the spyware uses exploit chains to bypass Android security mechanisms and install itself persistently at the kernel level.
NoviSpy deployed in Serbia
According to a report by Amnesty International, NoviSpy was deployed by the Serbian Security Intelligence Agency (BIA) and the Serbian Police after a mobile phone was unlocked using the Cellebrite unlock tool while the device was in physical custody. That’s what it means.
Based on forensic evidence on tampered devices, researchers believe Cellebrite exploited Qualcomm’s zero-day to unlock Android smartphones.
“While conducting research for this report, the Security Lab also discovered forensic evidence leading to the identification of a zero-day Android privilege escalation vulnerability that can be used to escalate privileges on a device.”
Activist from Serbia,” the Amnesty International report said.
“This vulnerability, identified in collaboration with security researchers at Androidmaker Google, affects a large number of Android devices using the popular Qualcomm chipset, and affects millions of Android devices worldwide. I gave it.”
The spyware communicated with servers in IP ranges directly associated with BIA, but configuration data within the sample identified specific individuals associated with the country’s previous spyware procurement programs.
Targets include journalists, human rights activists, and government dissidents. Specific examples cited in Amnesty’s report include journalist Slavisha Milanov, a member of the Krokodil NGO, and three activists.
However, Amnesty International says it has technical evidence to suggest that NoviSpy has been installed on dozens, if not hundreds, of Android devices in Serbia over the past few years.
Regarding the first breach, Amnesty International says the recovered artifacts indicate a zero-click attack leveraging Android calling features such as Voice-over-Wifi and Voice-over-LTE (VoLTE) features. .
These were active on the compromised devices investigated and used as part of Rich Communication Suite (RCS) calls.
Amnesty International says some activists may have been targeted using the ZeroClick Android vulnerability, which can be exploited by receiving calls from invalid phone numbers with many digits, as shown below. I suspect that it may have been done.
Source: Amnesty International
Google discovers Qualcomm flaw
Google’s TAG received kernel panic logs generated by an exploit captured by Amnesty International and worked backwards to identify six vulnerabilities in Qualcomm’s adsprpc driver, which is used by millions of Android devices. .
The six flaws can be summarized as follows:
CVE-2024-38402: A reference counting issue in the driver could lead to a use-after-free (UAF) exploit that could lead to arbitrary code execution in kernel space. CVE-2024-21455: Defective “is_compat” flag handling causes user-controlled pointers to be treated as kernel pointers, creating arbitrary read/write primitives, resulting in privilege escalation. CVE-2024-33060: Race condition in “fastrpc_mmap_create” exposes the driver to a UAF vulnerability, specifically when handling global memory maps, leading to kernel memory corruption. CVE-2024-49848: A logic error in the handling of persistent mappings allows a UAF scenario when a reference to a mapping is improperly released and provides a persistence mechanism. CVE-2024-43047: Duplicate memory mappings in ‘fastrpc_mmap’ can corrupt object references and lead to memory corruption. No CVE: Improper validation in fastrpc_mmap_find could leak kernel address space information and bypass kernel address space layout randomization (KASLR).
Google researchers have confirmed the exploitation of CVE-2024-43047 and hypothesize that the rest were exploited in a complex attack chain.
As of this writing, Qualcomm has not released a patch for CVE-2024-49848, even though Google reported this issue 145 days ago.
Google also noted that Qualcomm delayed patching CVE-2024-49848 and CVE-2024-21455 by more than the industry standard of 90 days.
BleepingComputer reached out to Qualcomm regarding the status of these six flaws, and a spokesperson issued the following statement:
“Developing technology that strives to support robust security and privacy is a priority for Qualcomm Technologies,” Qualcomm told BleepingComputer.
“We commend the researchers at Google Project Zero and Amnesty International Security Lab for their collaborative disclosure practices regarding their FastRPC driver research. The program is available to our customers. We encourage end users to apply security updates as appropriate.” Available from the device manufacturer. ”
Regarding CVE-2024-49848, Qualcomm told BleepingComputer that a fix has been developed and is in the process of being published, and a related security bulletin will be published in January 2025.
Regarding the missing CVE identifier vulnerability, Qualcomm says the issue was fixed in September 2024 as it was packaged with the CVE-2024-33060 hotfix.
Updated December 16, 2024: Added new information from Qualcomm regarding upcoming fixes.
