New NoviSpy Android Spyware Exploits Zero-Day Flaw in Qualcomm Chips

A newly disclosed zero-day vulnerability in Qualcomm's DSP (Digital Signal Processor) driver has been linked to the deployment of a spyware tool named NoviSpy, targeting Android devices in Serbia. The vulnerability, part of a broader set of issues identified in the adsprpc driver by Google Project Zero, was exploited to achieve privileged access on affected devices, enabling full surveillance capabilities.

This revelation stems from collaborative research conducted by Google's Threat Analysis Group (TAG) and Amnesty International's Security Lab. TAG identified six vulnerabilities within Qualcomm's adsprpc driver, including one actively exploited in the wild (ITW) to compromise devices. Amnesty's forensic investigations tied the exploitation to the NoviSpy spyware, linked to Serbia's Security Information Agency (BIA).

Discovering a zero-day flaw

Google Project Zero's analysis was prompted by kernel panic logs provided by Amnesty International. The logs revealed a heap corruption issue in the adsprpc driver during the handling of fastrpc_mmap structures — key components in memory management for Qualcomm DSPs. Researchers hypothesized that attackers exploited this zero-day bug to achieve a use-after-free condition, allowing arbitrary code execution.

The adsprpc driver facilitates multimedia offloading to DSP cores, creating a complex attack surface. While the exact CVE tied to the ITW exploit remains unidentified, the exploit's mechanism aligns with CVE-2024-43047, a use-after-free vulnerability involving overlapping memory mappings. This attack vector enabled adversaries to escalate privileges and persistently infect targeted devices.

Uncovering NoviSpy

Amnesty International's investigation highlighted NoviSpy, a domestically-developed Android spyware system. The spyware was covertly installed on journalists' and activists' devices, often during police detentions or interviews. The infection relied on physical access to the device, facilitated by Cellebrite's forensic tools to bypass encryption and security protocols.

NoviSpy granted attackers:

• Access to files, messages, and call logs.
• The ability to activate microphones and cameras covertly.
• Persistent monitoring through command-and-control servers linked to Serbian authorities.

One journalist, Slaviša Milanov, reported his phone acting abnormally after a police stop. Forensic analysis revealed that Cellebrite was used to unlock his device, followed by NoviSpy installation. Similar tactics were documented in cases involving other Serbian activists.

Advice to potential targets

Qualcomm chips power a significant portion of Android devices, so Google and Qualcomm are currently working on security patches. Users should keep an eye on incoming security updates and apply them as soon as possible.

Until fixes become available, it is recommended to enable filesystem encryption and secure boot, avoid surrendering devices to untrusted parties, and treat phones confiscated by the police as compromised.

Amnesty International's Mobile Verification Toolkit (MVT) can be a useful tool for validating if a device has been compromised by known malware, though it cannot detect strains that are yet to be discovered.