New Android updates fix kernel bug exploited in spyware attacks

Android security updates released this month patch a high-severity vulnerability exploited as a zero-day to install commercial spyware on compromised devices.

The security flaw (tracked as CVE-2023-0266) is a use-after-free weakness in the Linux Kernel sound subsystem that may result in privilege escalation without requiring user interaction.

According to a Google Threat Analysis Group (TAG) report published in March, it was exploited as part of a complex chain of multiple 0-days and n-days in a spyware campaign targeting Samsung Android phones.

The attackers deployed a spyware suite on compromised devices capable of decrypting and extracting data from chat and browser apps, Google TAG said.

The same exploit chain included another zero-day (CVE-2022-4262) in the Chrome web browser, a Chrome sandbox escape, as well as vulnerabilities in the Mali GPU Kernel Driver and the Linux Kernel.

Google TAG linked the attacks to Spanish mercenary spyware vendor Variston, known for its Heliconia exploit framework that targets the Windows platform.

"There are indications that CVE-2023-0266 may be under limited, targeted exploitation," a note added by the Android security team to this month's security bulletin reads.

The Android ITW LPE bug, CVE-2023-0266, discovered by @_clem1 in January is fixed in the May Android Security Bulletin. If your device has security patch level 2023-05-05 then it's been patched. https://t.co/8hCSuD30VK

— Maddie Stone (@maddiestone) May 3, 2023

Federal agencies ordered to patch until April 20

One day after Google TAG published its report, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-0266 to the Known Exploited Vulnerabilities, a list of security vulnerabilities actively exploited in attacks.

CISA gave Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until April 20, to secure all vulnerable Android devices against attacks that could target the bug.

The May Android updates also address dozens of other security bugs, most high-severity privilege escalation issues in the OS and various components.

On Monday, the Android security team also published the May Pixel Update Bulletin, which addresses flaws in supported Pixel devices and Qualcomm components.