Samsung App Security Flaws Discovered

Mobile Security Firm Uncovers Flaws in Samsung Apps

A recently established mobile security company has identified seven security vulnerabilities within pre-installed applications on Samsung mobile devices. Exploitation of these weaknesses could potentially grant attackers extensive access to a user's private information.

Vulnerabilities Found in Core Samsung Components

Oversecured, the security startup, reports that the discovered vulnerabilities reside within several applications and components that are natively bundled with Samsung smartphones and tablets. Sergey Toshin, Oversecured’s founder, communicated to TechCrunch that these vulnerabilities were confirmed on a Samsung Galaxy S10+ device.

However, Toshin indicated that the potential for impact extends to all Samsung devices, given the integral role these pre-installed apps play in core system functionality.

Potential for Data Theft and Unauthorized Changes

According to Toshin, a malicious application operating on the same device could leverage these vulnerabilities to compromise a victim’s data. This includes the unauthorized acquisition of photos, videos, contacts, call logs, and messages.

Furthermore, system settings could be altered without the user’s knowledge or consent, achieved through the hijacking of permissions granted to Samsung’s standard applications.

Specific Vulnerabilities Detailed

One identified flaw involved the Secure Folder app, which possesses a broad range of permissions across the device. A proof-of-concept demonstration by Toshin illustrated the potential for extracting contacts data through this vulnerability.

Another vulnerability existed within Samsung’s Knox security software, potentially enabling the installation of additional malicious applications. A flaw in Samsung Dex could have been exploited to gather data from user notifications, including information from apps, email inboxes, and messages.

Disclosure and Patching

Oversecured publicly released the technical specifics of these vulnerabilities in a blog post. The company also stated that it had previously reported these issues to Samsung, and that Samsung has since implemented fixes.

Samsung’s Response

Samsung acknowledged that the flaws affected a “selected” range of Galaxy devices, but refrained from providing a comprehensive list of impacted models.

The company asserted that “there have been no known reported issues globally and users should be assured that their sensitive information was not at risk,” though no supporting evidence was offered. Samsung confirmed that security patches were developed and distributed via software updates in April and May of 2021, following the identification of the vulnerabilities.

About Oversecured

Launched earlier this year, Oversecured has invested $1 million of its own funds into bug bounty programs. The company employs automated systems to proactively search for vulnerabilities within Android code.

Sergey Toshin and his team have previously uncovered similar security issues in popular applications such as TikTok and within the Google Play app store for Android.