The Android boot chain initiates with the “Boot ROM,” which initializes the “bootloader.” The bootloader then loads the kernel, which is responsible for managing system resources and launching the init process.
Recently, cybersecurity researchers at QuarksLab identified multiple vulnerabilities impacting the boot chain of several Samsung devices.
Security researchers uncovered critical security flaws in Samsung Galaxy devices (particularly model “A225F”) where they identified multiple vulnerabilities in the device’s boot chain system.
Boot Chain Of Samsung Devices
The primary vulnerabilities are tracked as “CVE-2024-20832” and “CVE-2024-20865,” which affect two crucial components:-
- The Little Kernel (third bootloader responsible for starting Android).
- The Secure Monitor (highest-privilege software).
The first vulnerability exploits a heap overflow in Little Kernel’s custom JPEG parser, which lacks size verification when loading images into fixed-size heap structures.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)
While the second vulnerability bypasses Odin’s authentication system (Samsung’s recovery tool) by manipulating the “GUID Partition Table (GPT)” and “Partition Information Table (PIT).”
When these vulnerabilities are “chained together,” threat actors can execute malicious code through “USB access” to:-
- Achieve persistent root-level Android access (surviving reboots and factory resets).
- Modify the up_param partition containing critical JPEG files.
- Disable boot image verification.
- Extract sensitive data from the Secure World’s memory (Includes “Android Keystore encryption keys”).
This security breach was presented at “BlackHat USA 2024,” and it affects multiple devices in the Galaxy A series, with researchers releasing “proof-of-concept” demonstrations on “GitHub.”
It shows how the exploitation of these “combined vulnerabilities” compromises the entire device security chain from the “bootloader” to the “operating system” level.
Researchers discovered vulnerabilities in the ARM Trusted Firmware (also known as “Secure Monitor”), which is the highest-privileged component on Android devices.
Two critical vulnerabilities were identified here, and they are tracked as “CVE-2024-20820”, a read out-of-bounds issue in an SMC handler, and “CVE-2024-20021,” which allowed mapping of arbitrary physical memory.
By chaining these vulnerabilities, attackers could bypass “Android’s security model,” like root privileges to access protected components like the “Android Keystore.”
The exploit chain showed on a “Samsung Galaxy A225F” with a “Mediatek SoC,” involved four bugs that allowed code execution in Little Kernel via USB.
Which enables threat actors to get “root access on Android with persistence,” and leak data from the “Secure World’s memory.”
This breach enabled access to sensitive information like “Keystore keys,” which are normally inaccessible even with root privileges.
The researchers presented their findings at BlackHat USA 2024 which highlights the significant “security implications” for many Samsung devices using “Mediatek SoCs.”
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar