A Google security researcher says that some Samsung Android phones were attacked by a commercial surveillance vendor using three zero-day hacks chained together.

In a blog post, Google Project Zero security researcher Maddie Stone said that the exploit chain targeted specific Samsung phones that used an Exynos chip, suggesting they were likely sold in Europe or the Middle East. The affected phones were also running a specific kernel version, with Google saying that three models were susceptible as a result - the Galaxy S10, A50, and A51.

While the flaws have now been patched, there was a credible risk to users while they were open. Google says that a malicious Android app, likely sideloaded, exploited the flaws and then gained access beyond its sandbox. That allowed it to access the rest of the Samsung phones' systems, although it isn't yet known what the final payload actually was.

The chain of exploits that was required in order to make the hack work required a number of steps, with Stone saying that the first vulnerability in the chain was used four times, once at each step.

While Google refuses to name which surveillance vendor it believes was involved, it does note that the attack follows a pattern similar to others. Those other malicious Android apps were used to deliver spyware for nation-states, perhaps giving a clue as to who might have been behind all of this.

Google also says that it reported all three vulnerabilities to Samsung in late 2020, with patches rolled out to affected handsets in March of 2021.