A high-severity vulnerability has been patched in Android security updates released this month. The flaw, tracked as CVE-2023-0266, was exploited as a zero-day to install commercial spyware on compromised devices.
The exploit allowed for privilege escalation without requiring user interaction, and was used as part of a complex chain of multiple zero-days and n-days in a spyware campaign targeting Samsung Android phones. The attackers deployed a spyware suite on compromised devices capable of decrypting and extracting data from chat and browser apps.
Google TAG linked the attacks to Spanish mercenary spyware vendor Variston, known for its Heliconia exploit framework that targets the Windows platform. The same exploit chain included another zero-day (CVE-2022-4262) in the Chrome web browser, a Chrome sandbox escape, as well as vulnerabilities in the Mali GPU Kernel Driver and the Linux Kernel.
According to the Android security team, there are indications that CVE-2023-0266 may still be under limited, targeted exploitation.
In response to the Google TAG report, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-0266 to the Known Exploited Vulnerabilities list, a compilation of security vulnerabilities actively exploited in attacks. CISA gave Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until April 20, to secure all vulnerable Android devices against attacks that could target the bug.
The May Android updates not only patch the high-severity vulnerability, but also address dozens of other security bugs, most of which are high-severity privilege escalation issues in the OS and various components.
Additionally, the Android security team published the May Pixel Update Bulletin, which addresses flaws in supported Pixel devices and Qualcomm components.
