0-click Paragon spyware targets WhatsApp users.

orydeatemi

Guardian piece here, Forbes piece there.

Anyone got a message ? Do we know if an affected GrapheneOS device passes attestation ?

raccoondad

orydeatemi How would we know without access to information on the exploit? Seems to be hush hush for now, like most recently found exploits

Roger

Oh cool they called it Graphite, they're clearly trying to psyop people away from using Grapheneos, you heard it here first. Jk jk, just one more reason not to use Whatsapp I guess.

JollyRancher

Without access to Graphite to test, it's impossible to know whether it can compromise GOS.

However, it is highly unlikely that it can.

First, the infection vector was a PDF and the default GOS PDF viewer is very good at blocking that vector.

Then it would have to get around the app sandbox and permission restrictions. Then, assuming you aren't daily driving the Owner profile it would have to jump profiles. Then it would have to find a means of persisting past a reboot.

DeletedUser134

JollyRancher

Profiles don't affect app sandboxes like that. If they escape in one profile they don't have to "jump" to another profile.

Profiles are for privacy, not security.

JollyRancher

DeletedUser134
Nothing done in a profile will be able to function if that profile isn't active. Until you unlock a profile, all associated data is at rest and encrypted.

Profiles, outside owner, also can't access the device boot part of storage.

Worst case if you get spyware in a profile is that it will only be active when that profile is running.

To persist spyware so that it is always active you have to get it into the Owner profile (the only one that is always active).

DeletedUser134

JollyRancher

Well if you send something to someone on WhatsApp it will obviously execute when the profile is active, as that is when you can receive it. So it's a moot point that the data is encrypted at rest because it won't be at rest. Your WhatsApp will likely be open long enough for it to run its course, whatever that is.

You are also assuming that an exploit can't break permissions. There is no evidence here that this one can, but being in a non owner profile won't stop an exploit that can escape a sandbox. Whatever added protection a secondary profile gives you is more likely to do with privacy and the profile not being open for as long (but that really is guessing - plenty of people use WhatsApp for extended periods of time).

I am not aware of a secondary profile having stronger exploit protection or a stronger sandbox. Nor do I see a reason for it to "jump" to another profile (whatever that means). Do you have a source for that statement?

JollyRancher

DeletedUser134

If code is stored in a profile, it can only be accessed and executed when that profile is active.

A User Profile is an isolated existence with essentially zero ability to affect the phone at a deeper level.

For the device, as opposed to a profile, to be compromised the exploit needs to either be in the Owner Profile or the firmware.

Direct Boot uses Device Encrypted Storage, but even if a User Profile can store data there (and I'm not sure whether they can or not), the Owner Profile, OS, or Firmware would have to be compromised to execute whatever is stored in the device encrypted storage.

Incidentally, if you want basically any kind of spyware to function on a GOS device it basically needs to be purpose designed to target GOS and/or be installed in the Owner Profile.

riddlemethis

JollyRancher

I think you grossly underestimate the capability of software/OS based exploitation. I would absolutely not convince myself that simply by operating in a profile that you're immune from anything nefarious.

JollyRancher

riddlemethis
Of course you aren't immune, but you are much better protected.