Google’s recent advisory highlights two critical vulnerabilities in the Android ecosystem actively being exploited in the wild:

1. CVE-2024-43093: This is a privilege escalation vulnerability within the Android Framework component. The flaw allows unauthorized access to sensitive directories—specifically, “Android/data,” “Android/obb,” and “Android/sandbox”—and their subdirectories. Unauthorized access to these directories could expose or modify critical app data, posing significant risks to user privacy and data security. While specific details on exploitation methods are not provided, Google noted signs of limited, targeted exploitation.
2. CVE-2024-43047: This vulnerability impacts Qualcomm chipsets and involves a use-after-free issue in the Digital Signal Processor (DSP) Service. Successful exploitation could result in memory corruption, potentially giving attackers access to sensitive memory regions. This bug has been addressed in recent patches, but its active exploitation suggests ongoing risk to devices with affected chipsets that have not been updated.

The active exploitation of Android vulnerabilities CVE-2024-43093 and CVE-2024-43047 underscores the persistent threat these flaws pose, particularly for high-risk targets. Google’s Project Zero researchers, Seth Jenkins and Conghui Wang, identified CVE-2024-43047, and Amnesty International’s Security Lab later confirmed its real-world exploitation, highlighting the potential use in targeted spyware campaigns, possibly aimed at members of civil society.

TECHNICAL DETAILS:

1. CVE-2024-43093

• CVE ID: CVE-2024-43093
• CVSS Score: (Currently undisclosed but likely rated high, considering active exploitation and privilege escalation nature)
• CWE: CWE-269 – Improper Privilege Management
• Affected Component: Android Framework component
• Type: Privilege Escalation Vulnerability
• Attack Vector: Local
• Impact: Unauthorized access to “Android/data,” “Android/obb,” and “Android/sandbox” directories and their sub-directories.
• Exploit Details: Allows attackers to gain access to restricted directories, which could lead to exposure, tampering, or deletion of app-specific data.
• Exploitation in the Wild: Confirmed; Google indicated this vulnerability is currently under limited, targeted exploitation.
• Patch Availability: Patched in recent Android updates (security bulletin for the current month).

2. CVE-2024-43047

• CVE ID: CVE-2024-43047
• CVSS Score: (Currently undisclosed but presumed high due to memory corruption and active exploitation)
• CWE: CWE-416 – Use After Free
• Affected Component: Qualcomm Digital Signal Processor (DSP) Service
• Type: Memory Corruption (Use-After-Free Vulnerability)
• Attack Vector: Local
• Impact: Memory corruption leading to potential unauthorized code execution.
• Exploit Details: This vulnerability can corrupt memory, allowing attackers to escalate privileges and potentially execute arbitrary code.
• Exploitation in the Wild: Confirmed; researchers reported active exploitation of this vulnerability, potentially in highly targeted attacks.
• Patch Availability: Patched in the latest Android security update for devices with Qualcomm chipsets.

IOCS (indication of compromise)

·       Potential IOCs and Techniques for CVE-2024-43093 (Android Framework Privilege Escalation)

1. File System Access Logs:
   • Unusual access to directories such as Android/data, Android/obb, and Android/sandbox without user action.
   • Unexpected modification, creation, or deletion of files within these directories.
2. App Behavior Changes:
   • Applications that suddenly gain access to sensitive data or exhibit behavior inconsistent with typical usage (e.g., accessing restricted directories).
3. Unusual Privilege Requests:
   • Applications that don’t normally require elevated privileges requesting new permissions to access sensitive directories.
4. System Logs and Error Messages:
   • Security events or warning logs related to unexpected access requests to restricted directories.

·       Potential IOCs and Techniques for CVE-2024-43047 (Qualcomm DSP Service Memory Corruption)

1.       Crash Dumps and Memory Errors:

o   Check system logs for unusual DSP service crashes, memory allocation errors, or unexpected device reboots, which may indicate exploitation attempts.

2.       Process Anomalies:

o   Irregular behavior in processes associated with Qualcomm DSP, especially if they trigger memory-related warnings or crashes.

3.       Binary Changes or Modifications:

o   Monitor for unauthorized modifications to binaries associated with the Qualcomm DSP Service, which could indicate that attackers are attempting to exploit the vulnerability.

4.       Unusual Network Traffic:

o   Since successful exploitation may be part of a broader spyware campaign, monitor for abnormal outbound network traffic from Android devices to unknown or suspicious IP addresses or domains.

5.       Indicators of Spyware or Rootkit-like Behavior:

o   Files or applications that persist after a system reboot, maintain stealthy background operations, or connect to suspicious endpoints.

·       Detection Techniques

1.       Behavioral Monitoring:

o   Use mobile security tools that perform behavior-based monitoring to flag unusual application behaviors, especially around directory access and privilege escalation attempts.

2.       File Integrity Monitoring (FIM):

o   Implement FIM on critical files and directories, particularly within the Android/data, Android/obb, and Android/sandbox directories.

3.       Network Traffic Analysis:

o   Analyze network traffic for data exfiltration or connections to known command-and-control (C2) domains used by spyware campaigns.

4.       System and Application Logs:

o   Regularly review system and application logs for patterns that align with privilege escalation or use-after-free exploitation attempts.

IMPACT

1. CVE-2024-43093 – Android Framework Privilege Escalation

• Unauthorized Access to Sensitive Directories:
  • Attackers can gain access to directories such as Android/data, Android/obb, and Android/sandbox, which typically contain sensitive application data. This access could allow them to read, modify, or delete files without user consent.
• Increased Risk of Data Exposure and Theft:
  • Sensitive application data (e.g., app configurations, user data, cache files) could be exposed. This would compromise the confidentiality of personal or application-specific information, which is particularly harmful for applications handling sensitive information, such as financial or healthcare apps.
• Tampering with App Data and Settings:
  • Attackers could modify application data, potentially leading to altered app behavior, corruption, or even denial of service. For instance, tampering with configuration files could cause apps to malfunction or crash.
• Potential Surveillance or Tracking:
  • Exploitation of this vulnerability could be used in targeted spyware attacks to gather information about specific individuals, especially in cases where the attack is directed at civil society members or high-risk users.

2. CVE-2024-43047 – Qualcomm DSP Service Use-After-Free (Memory Corruption)

• Memory Corruption and System Instability:
  • This vulnerability could lead to memory corruption within the DSP Service, potentially causing unexpected reboots, system crashes, or stability issues on affected devices.
• Elevation of Privileges and Potential Code Execution:
  • Successful exploitation could allow an attacker to escalate privileges and execute arbitrary code, gaining control over the affected device. This could lead to full device compromise, allowing attackers to read data, install additional malicious software, or maintain persistent access.
• Risk of Spyware or Surveillance:
  • Given the active exploitation, CVE-2024-43047 could be used to deliver or enhance spyware functionality, enabling attackers to monitor communications, record audio, or track user activity.
• Broader Security Bypass:
  • By exploiting this vulnerability, attackers could bypass security restrictions on the device, undermining Android’s security model and increasing the overall attack surface.

RECOMMENDATIONS:

1. Apply Security Updates

·       End Users:

o   Ensure that your Android device is updated with the latest security patches. Google’s October 2024 security update (or the latest monthly update) addresses these vulnerabilities, so update as soon as possible.

·       IT Administrators:

o   For organizations managing Android devices, enforce immediate updates across the fleet, especially on devices with Qualcomm chipsets.

o   Use Mobile Device Management (MDM) tools to monitor and enforce compliance with update policies.

2. Enable and Enforce App Permissions Management

·       Limit Permissions:

o   Regularly review app permissions and only grant necessary permissions. Avoid apps that request permissions not required for their function.

·       Use Android Permissions Monitoring Tools:

o   Android 11+ offers a permission monitoring tool. Enable notifications to be alerted when apps request sensitive permissions like storage access, helping you detect potentially malicious apps trying to exploit these vulnerabilities.

3. Deploy Mobile Threat Detection Tools

·       Behavior-based Security:

o   Use behavior-based mobile security solutions or endpoint protection software that can detect abnormal application behavior, privilege escalation attempts, and unauthorized data access.

·       File Integrity Monitoring (FIM):

o   Set up FIM on high-risk directories (Android/data, Android/obb, Android/sandbox) to detect unauthorized access or changes, which can indicate potential exploitation attempts.

4. Enable and Enforce Network Traffic Monitoring

·       Network Anomaly Detection:

o   Monitor for unusual outbound traffic, especially to unknown IPs or domains, as these can be signs of spyware or command-and-control (C2) activity.

·       Limit Data Exfiltration Risks:

o   Use network segmentation and restrict high-risk devices from accessing sensitive networks to prevent data leakage.

5. Disable Developer Mode and USB Debugging (If Not Needed)

·       Disable developer mode and USB debugging on Android devices for users who do not require them, as these settings can increase exposure to security risks by allowing advanced manipulation of the device.

6. Raise Awareness Among High-Risk Users

·       High-Risk Groups (e.g., journalists, activists):

o   Inform high-risk users about the potential for targeted attacks using these vulnerabilities. Encourage best practices like limiting app downloads to trusted sources (e.g., Google Play Store) and avoiding third-party app stores.

·       Enable Device Encryption:

o   Device encryption can add an additional layer of security by protecting data at rest, making it harder for attackers to access data even if privilege escalation is achieved.

7. For Organizations: Establish Security Policies for Android Devices

·       Restrict Installation of Unverified Apps:

o   Use MDM tools to prevent installation of apps from unknown or untrusted sources.

·       Monitor Security Logs and Perform Regular Audits:

o   Regularly review security logs and conduct audits to detect unusual access patterns, permissions changes, or system crashes linked to the DSP service or Android Framework.

8. Stay Informed and Be Prepared for Further Updates

·       Regularly Monitor Security Bulletins:

o   Stay up-to-date with Google’s Android Security Bulletins and Qualcomm’s advisories for any new patches or further information related to these vulnerabilities.

·       Implement Incident Response Plans:

o   Have a mobile incident response plan in place to quickly isolate affected devices if suspicious activity is detected, minimizing potential exposure.