Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021 presented at Black Hat USA 2022

by Xingyu Jin, Richard Neal, Christian Lecigne,

Tags: Mobile Exploit Development


Summary : Over the past 12 months, Google's TAG (Threat Analysis Group) and Android Security teams have discovered and analyzed several in-the-wild 1day/0day exploits by surveillance vendors. We will present in-the-wild browser and kernel LPE exploits found in 2021 such as CVE-2021-28663 (Mali GPU), CVE-2020-16040/CVE-2021-38000 (Browser), CVE-2021-1048 (Linux kernel) and CVE-2021-0920 (Linux kernel). CVE-2021-0920 is an in-the-wild 0day Linux kernel garbage collection vulnerability; not publicly well-known, it's much more sophisticated and arcane in contrast with the other aforementioned exploits. We will do a deep dive into the CVE-2021-0920 exploit and its attribution. Furthermore, we will present a novel and previously unseen in-the-wild kernel exploitation technique for fully bypassing a hardware level mitigation.Among the commercial exploit vendors who built the above in-the-wild exploits, one, the developer of CVE-2021-0920, has particularly attracted our attention. We have attributed a number of Android 0day/1day exploit samples to this vendor, including attempts at submitting a malicious app to the Google Play store and early use of the Bad Binder exploit. By analyzing the vendor's exploits, we found a full chain in-the-wild targeting Android devices. The exploit chain uses 1day/nday browser exploits CVE-2020-16040/CVE-2021-38000 and 0day CVE-2021-0920 to remotely root Android devices. After our report to the Linux kernel community, the 0day was fixed in September 2021 as CVE-2021-0920. Further research shows that the vulnerability was found at least once before in 2016 and reported on the Linux Kernel Mailing List, but the patch was rejected by the Linux kernel community.For devices enabling the hardware level CONFIG_ARM64_UAO mitigation, the vendor develops a novel method (not ret2bpf) to carefully circumvent the mitigation after the addr_limit is tampered. Besides this, the rich functionality of the post-pwn Rootkits has made the exploit more evasive.