Researchers with Google and Amnesty International are exposing a newly uncovered piece of surveillance malware.
The Amnesty International team said that a journalist in Serbia turned over a previously unknown piece of malware. A brief analysis of the sample found that it was mobile surveillance malware that, in this case, was being used by police to spy on the journalist’s activities.
“Amnesty International’s analysis led to two remarkable discoveries. Firstly, forensic traces revealed that a Cellebrite product had been used to unlock his device,” the group explained.
“Cellebrite, whose forensic tool allows the extraction of all data on a device and which is used by police departments around the world, claim that they have strict policies to prevent misuse of their product; yet, this discovery provides clear evidence of a journalist’s phone being targeted without any form of due process.”
Cellebrite is one of a number of developers that develop mobile device exploit and surveillance tools marketed as "forensics" software for law enforcement agencies investigating crimes.
While the vendors maintain that they carefully screen and manage which groups use their products, critics have alleged that in many cases the tools end up being sold to oppressive governments that use the software to illegally spy on critics, journalists and political opponents.
Further analysis found that the Android malware, labeled "NoviSpy" was a previously unknown and highly intrusive remote access tool able to monitor many of the basic functions.
From there, the malware sample was handed over to Google’s Project Zero team, that proceeded to analyze the data from the phone.
Over the span of just a couple months the Project Zero researchers were able to trace the attack back to a group of six flaws in the Qualcomm DSP driver despite not having any actual attack code, one of which remained unpatched at the time of publication and two that had taken the vendor more than 90 days to address.
This, in turn, allows attackers to take advantage of the time gap between disclosure and widespread patch deployment.
The researchers said that the findings show just how easy it can be for malware developers to craft exploits and gain low-level access when vendors fail to respond to vulnerability disclosures in a timely manner.
“Past research has shown that chipset drivers for Android are a promising target for attackers, and this ITW exploit represents a meaningful real-world example of the negative ramifications that the current third-party vendor driver security posture poses to end-users,” wrote the team.
“A system’s cybersecurity is only as strong as its weakest link, and chipset/GPU drivers represent one of the weakest links for privilege separation on Android in 2024.”
