Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021

The presentation discusses the discovery of zero-day exploits in the wild and the importance of reducing the time it takes to detect and patch vulnerabilities to protect users.

• Google routinely hunts for zero-day exploits in the wild and has reported several in recent years
• Over 30 commercial surveillance vendors are tracked, and some groups share or sell exploits between each other
• Two Android full chains were discovered in 2021, exploiting vulnerabilities in Chrome and the Linux kernel
• The exploitation technique used in one of the full chains involved exploiting an EPO reference counting vulnerability to gain Riot access to lib C, effectively giving code execution in every process that uses lib C
• Reducing the time it takes to detect and patch vulnerabilities is crucial for protecting users and increasing the cost for the surveillance industry to maintain their capabilities

One of the full chains discovered in 2021 involved exploiting an EPO reference counting vulnerability to gain Riot access to lib C, effectively giving code execution in every process that uses lib C. The exploitation technique used involved freeing a file structure in the Linux kernel while still having a reference to it from userspace as a file descriptor, creating a use-after-free scenario. By exploiting this vulnerability, the surveillance vendor was able to quickly gain code execution in every process that uses lib C, illustrating the importance of reducing the time it takes to detect and patch vulnerabilities to protect users.

Over the past 12 months, Google's TAG (Threat Analysis Group) and Android Security teams have discovered and analyzed several in-the-wild 1day/0day exploits by surveillance vendors. We will present in-the-wild browser and kernel LPE exploits found in 2021 such as CVE-2021-28663 (Mali GPU), CVE-2020-16040/CVE-2021-38000 (Browser), CVE-2021-1048 (Linux kernel) and CVE-2021-0920 (Linux kernel). CVE-2021-0920 is an in-the-wild 0day Linux kernel garbage collection vulnerability; not publicly well-known, it's much more sophisticated and arcane in contrast with the other aforementioned exploits. We will do a deep dive into the CVE-2021-0920 exploit and its attribution. Furthermore, we will present a novel and previously unseen in-the-wild kernel exploitation technique for fully bypassing a hardware level mitigation.Among the commercial exploit vendors who built the above in-the-wild exploits, one, the developer of CVE-2021-0920, has particularly attracted our attention. We have attributed a number of Android 0day/1day exploit samples to this vendor, including attempts at submitting a malicious app to the Google Play store and early use of the Bad Binder exploit. By analyzing the vendor's exploits, we found a full chain in-the-wild targeting Android devices. The exploit chain uses 1day/nday browser exploits CVE-2020-16040/CVE-2021-38000 and 0day CVE-2021-0920 to remotely root Android devices. After our report to the Linux kernel community, the 0day was fixed in September 2021 as CVE-2021-0920. Further research shows that the vulnerability was found at least once before in 2016 and reported on the Linux Kernel Mailing List, but the patch was rejected by the Linux kernel community.For devices enabling the hardware level CONFIG_ARM64_UAO mitigation, the vendor develops a novel method (not ret2bpf) to carefully circumvent the mitigation after the addr_limit is tampered. Besides this, the rich functionality of the post-pwn Rootkits has made the exploit more evasive.