The curious tale of a fake Carrier.app

Google Project Zero analysed a real-world iOS privilege-escalation exploit (CVE-2021-30983) delivered via a sideloaded fake “My Vodafone” carrier app; the exploit abused the Display Co-Processor (DCP) RPC and memory-mapping interfaces to obtain kernel read/write primitives and enable data exfiltration. The post details DCP firmware reverse-engineering, the exploit flow from IOConnectCallMethod through DCP handlers to a UniformityCompensator overflow, and notes the vulnerability was patched in iOS 15.2.