Security researchers from Zimperium zLabs discovered two critical vulnerabilities within the LINE messaging application for Android. These security flaws exposed the platform’s extensive user base, primarily in Asia, to significant cyber espionage risks, including account hijacking and spyware implantation. LINE is a prominent messaging app with over 176 million active users in Japan, Taiwan, and Thailand.

Account Hijacking and Spyware Vulnerabilities Detailed

The first vulnerability, identified as CVE-2023-23910, was an account hijacking flaw. This security issue allowed a remote attacker to execute arbitrary JavaScript code inside the application’s internal web browser. An attacker could trigger this vulnerability by sending a specially crafted link to a target. When the user clicked the link, the attacker could gain control of the victim’s LINE account without their knowledge. This access permitted the theft of user data such as message history, contacts, and call logs.

The second vulnerability, tracked as CVE-2023-32479, enabled a spyware implant. An attacker could send a victim a malicious video file. If the user saved the video to their device, the vulnerability exploited a path traversal flaw to execute a malicious file. This action allowed the attacker to run arbitrary code on the user’s device, effectively turning it into a tool for espionage by accessing information like location data and other sensitive files.

Discovery, Remediation, and Threat Actor Connections

Zimperium’s research team responsibly disclosed these vulnerabilities to the LINE Corporation on February 2, 2023. In response, LINE developed and released patches to address the security issues. The fixes were included in LINE for Android version 13.4.0, which was made available to users in early April 2023. Versions of the application prior to 13.4.0 remained vulnerable.

Analysis of the spyware implant vulnerability (CVE-2023-32479) revealed that its execution method was similar to techniques previously employed by Bitter, an advanced persistent threat (APT) actor. The Bitter APT group has been active since at least 2013 and is known for targeting government, military, and industrial entities in several Asian countries.

Source: https://www.darkreading.com/application-security/line-messaging-bugs-asian-cyber-espionage