New Android updates fix kernel bug exploited in spyware attacks

Android security updates released this month patch a high-severity vulnerability exploited as a zero-day to install commercial spyware on compromised devices.

The security flaw (tracked as ) is a use-after-free weakness in the Linux Kernel sound subsystem that may result in privilege escalation without requiring user interaction.

According to a Google Threat Analysis Group (TAG)  published in March, it was exploited as part of a complex chain of multiple 0-days and n-days in a spyware campaign targeting Samsung Android phones.

The attackers deployed a spyware suite on compromised devices capable of decrypting and extracting data from chat and browser apps, Google TAG said.

The same exploit chain included another zero-day (CVE-2022-4262) in the Chrome web browser, a Chrome sandbox escape, as well as vulnerabilities in the Mali GPU Kernel Driver and the Linux Kernel.

Google TAG linked the attacks to Spanish mercenary spyware vendor Variston, known for its  that targets the Windows platform.

“There are indications that CVE-2023-0266 may be under limited, targeted exploitation,” a note added by the Android security team to  reads.

Federal agencies ordered to patch until April 20

One day after Google TAG published its report, the Cybersecurity and Infrastructure Security Agency (CISA)  to the Known Exploited Vulnerabilities, a list of security vulnerabilities actively exploited in attacks.

CISA gave Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until April 20, to secure all vulnerable Android devices against attacks that could target the bug.

The  also address dozens of other security bugs, most high-severity privilege escalation issues in the OS and various components.

On Monday, the Android security team also published the , which addresses flaws in  and Qualcomm components.