Side note: Just checked are non-Android Linux OSes targeted by this spyware. Apparently, there's no public info in favor of such. So probably, nope. It looks mostly targeted against Android and iOS only.
> Just checked are non-Android Linux OSes targeted by this spyware
It's safe to assume that any mobile phone OS will inevitably be targeted. There are always going to be unpatched and uncaught vulnerabilities, and the market for finding these vulns are very hot.
The bigger question is why do you think you'd be vulnerable to attack by a nation-state? If you are that prominent, you are screwed anyhow.
How would you define a "mobile OS" then, to keep the alignment of what you said, particularly this part: "There are always going to be unpatched and uncaught vulnerabilities"?
Everything which can fit into a pocket and has a HTML5 browser?
FYI, I know about how extremely vulnerable average cellular baseband is (and that it would often use unprotected or weakly protected DMA). Let's assume the device in question doesn't have one of these.
Just about every phone (smart or feature) is running some flavor of Unix (iOS/BSD for Apple, Android/Linux for most other smartphones, and KaiOS/Linux for feature phones).
The 1998 style Nokia brick is functionally non-existent as there is no financially viable demand for a product like that anymore.
The markets that are feature phone driven (much of Africa, poorer regions of South and Southeast Asia) are also heavily WhatsApp dependent, so the mobile OS needs to be lightweight but also support modern app functionality - which lends itself to the embedded Linux use case.
Also, no matter how much you modify and QA code, inevitably some bug will arise, and will be open to exploitation.
Sure, but it runs Android Go (embedded Android) or KaiOS (embedded Linux) out of the box.
Any vulnerabilities that arises in Linux can also be weaponized on those OSes as well depending on when the OS image was deployed and whether or not the OEM supports upgrades and patches (generally they don't)
Do you have any info why this CVE is still unpatched? It seems absolutely crazy, given it is known (of course, a lot of similar bugs may not be even known as of now). Virtualization and containerization-based approaches would be a go-to method for reducing potential surface affected by them - given this was in (g)libc, even Linux namespaces would've potentially resisted most of things which can be done with it. Not to mention light hypervisors with very minimalistic codebase like Xen.
My phone doesn't run Xen yet (I've ran into some problems with kexec() support in Linux on aarch64), but it runs KVM just fine ;)
It's safe to assume that any mobile phone OS will inevitably be targeted. There are always going to be unpatched and uncaught vulnerabilities, and the market for finding these vulns are very hot.
The bigger question is why do you think you'd be vulnerable to attack by a nation-state? If you are that prominent, you are screwed anyhow.
This article by Mickens is fairly accurate [0]
[0] - https://scholar.harvard.edu/files/mickens/files/thisworldofo...