Google Security Researchers Warn a Samsung Zero-Day Exploit Exists in the Wild

Published on October 23, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

Google's Threat Analysis Group (TAG) has raised alarms over a zero-day vulnerability in Samsung's mobile processors, which has been actively exploited in the wild. This security gap enables privilege escalation on vulnerable Android devices, posing a severe threat to affected users.

The vulnerability tracked as CVE-2024-44068 and carrying a CVSS score of 8.1 resides as a use-after-free bug within the m2m scaler driver present in Samsung's Exynos 9820, 9825, 980, 990, 850, and W920 processors. 

Despite Samsung's October 2024 security updates addressing this issue, their advisory remains sparse, particularly concerning the active exploitation of this vulnerability. However, Google researcher Xingyu Jin, who initially reported the flaw, and Google TAG researcher Clement Lecigene have confirmed that the exploit is present in the wild.

The crux of the vulnerability lies in the mishandling of page reference counts during the mapping of userspace pages to I/O pages, crucial for media function hardware acceleration. Attackers can exploit this bug to execute arbitrary code within a privileged camera server process, significantly undermining device security.

The exploit chain reportedly includes a Kernel Space Mirroring Attack (KSMA), bypassing Android kernel isolation protections, while the process name obfuscation hints at potential anti-forensic tactics by the attackers.

“This zero-day exploit is part of an EoP chain. The actor is able to execute arbitrary code in a privileged camera server process. The exploit also renamed the process name itself to ‘[email protected]’, probably for anti-forensic purposes,” the two security researchers pointed out.

While comprehensive details on the specific attacks remain undisclosed, it's notable that Google TAG frequently uncovers zero-days linked to spyware vendors targeting Samsung devices.

This month, Samsung and LG’s Automatic Content Recognition (ACR) surveillance technology used in smart TVs, which is a tracking tool embedded within the TV's operating system, raised privacy concerns.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: