The Serbian government exploited Qualcomm zero-days to unlock and infect Android devices with a new spyware named 'NoviSpy,' used to spy on activists, journalists, and protestors.

One of the Qualcomm flaws linked to the attacks is CVE-2024-43047, which was marked as an actively exploited zero-day vulnerability by Google Project Zero in October 2024 and received a fix on Android in November.

The spyware, which appears to have been deployed by Serbian authorities, based on its communications, was discovered by Amnesty International's Security Lab on a journalist's phone after police returned it.

"In February 2024, Slaviša Milanov, an independent journalist from Dimitrovgrad in Serbia who covers local interest news stories, was brought into a police station after a seemingly routine traffic stop," reads a report by Amnesty International.

"After Slaviša was released, he noticed that his phone, which he had left at the police station reception at the request of the officers, was acting strangely – the data and wi-fi settings were turned off. Aware that this can be a sign of hacking, and mindful of the surveillance threats facing journalists in Serbia, Slaviša contacted Amnesty International's Security Lab to request an analysis of his phone."

Subsequently, the researchers provided Google's Threat Analysis Group (TAG) with exploit artifacts, leading to uncovering the flaws in Qualcomm's DSP (Digital Signal Processor) driver ('adsprpc'), which is used for offloading multimedia processing to the DSP core.

While Google is unsure about which vulnerabilities are leveraged by NoviSpy, the evidence suggests that the spyware employs an exploit chain to bypass Android security mechanisms and install itself persistently at the kernel level.

NoviSpy deployed in Serbia

Amnesty International reports that NoviSpy was deployed by the Serbian Security Information Agency (BIA) and the Serbian police after a phone was unlocked using the Cellebrite unlocking tools during physical custody of the devices.

According to forensic evidence on tampered devices, the researchers believe that Cellebrite exploited Qualcomm zero-days to unlock Android phones.

"While conducting research for this report, the Security Lab also uncovered forensic evidence leading to the identification of a zero-day Android privilege escalation vulnerability used to escalate privileges on the device
an activist from Serbia," reads Amnesty International's report.

"The vulnerability, identified in collaboration with security researchers at Androidmaker Google, affected numerous Android devices using popular Qualcomm chipsets impacting millions of Android devices worldwide."

The spyware communicated with servers on IP ranges tied directly to BIA, while configuration data in the samples identified a specific person linked to the country's prior spyware procurement programs.

The targets include journalists, human rights activists, and government dissidents. Specific examples mentioned in the Amnesty report include journalist Slaviša Milanov, a member of the Krokodil NGO, and three activists.

However, Amnesty says that technical evidence suggests NoviSpy was installed on dozens, if not hundreds, of Android devices in Serbia over the last few years.

Regarding the initial compromise, Amnesty International says the recovered artifacts point to a zero-click attack leveraging Android calling features such as Voice-over-Wifi or Voice-over-LTE (VoLTE) functionality.

These were active on the examined compromised devices, used as part of the Rich Communication Suite (RCS) calling.

Amnesty International suspects some activists may have been targeted using a zero-click Android vulnerability that could be exploited by receiving phone calls from invalid phone numbers of many digits, as shown below.

Google finds Qualcomm flaws

Google's TAG received kernel panic logs generated by exploits captured by Amnesty International and worked backwards to identify six vulnerabilities in Qualcomm's adsprpc driver, used in millions of Android devices.

The six flaws are summarized as follows:

1. CVE-2024-38402: A reference counting issue in the driver can lead to use-after-free (UAF) exploitation and arbitrary code execution in the kernel space.
2. CVE-2024-21455: A flawed 'is_compat' flag handling allows user-controlled pointers to be treated as kernel pointers, creating arbitrary read/write primitives and leading to privilege escalation.
3. CVE-2024-33060: A race condition in 'fastrpc_mmap_create' exposes the driver to UAF vulnerabilities, especially when handling global memory maps, leading to kernel memory corruption.
4. CVE-2024-49848: A logic error in handling persistent mappings causes a UAF scenario when references to mappings are improperly released, providing a persistence mechanism.
5. CVE-2024-43047: Overlapping memory mappings in 'fastrpc_mmap' can lead to corrupted object references, potentially leading to memory corruption.
6. No CVE: Improper validation in fastrpc_mmap_find leaks kernel address space information, allowing to bypass kernel address space layout randomization (KASLR).

Google researchers confirmed the exploitation of CVE-2024-43047 and hypothesize that the rest were exploited in a complex attack chain.

At the time of writing, Qualcomm has not released a patch for CVE-2024-49848, despite Google having reported the issue to them 145 days back.

Google also noted that Qualcomm delayed patching CVE-2024-49848 and CVE-2024-21455 over the industry-standard period of 90 days.

BleepingComputer contacted Qualcomm to ask about the status of those the six flaws, and a spokesperson has provided the below statement:

"Developing technologies that endeavor to support robust security and privacy is a priority for Qualcomm Technologies," Qualcomm told BleepingComputer.

"We commend the researchers from Google Project Zero and Amnesty International Security Lab for using coordinated disclosure practices. Regarding their FastRPC driver research, fixes have been made available to our customers as of September 2024. We encourage end users to apply security updates as they become available from device makers."

Regarding CVE-2024-49848, Qualcomm told BleepingComputer that a fix has been developed and is going through its disclosure process, with the related security bulletin coming in January 2025.

Regarding the vulnerability that lacks a CVE identifier, Qualcomm says the issue was packaged along with the CVE-2024-33060 fix in September 2024, and hence has been fixed.

Update 12/16/24: Added new information from Qualcomm about upcoming fixes.