A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain

This report analyzes an in-the-wild, three-vulnerability exploit chain found in late 2020 that targets Samsung Exynos-based Android devices (examples: S10, A50, A51). The chain chains a flawed system clipboard content provider (arbitrary file read/write), an information leak from a Samsung sec_log copy of kernel messages (KASLR defeat), and a use‑after‑free in the DECON DPU driver to achieve arbitrary kernel read/write and privilege escalation; the sample appears linked to a commercial surveillance vendor and the issues were patched by Samsung in March 2021 (CVE-2021-25337 / CVE-2021-25369 / CVE-2021-25370).