Google’s Nexus Android devices are considered the most secure by default since they’re guaranteed to receive all security patches for vulnerabilities found internally and those disclosed by third parties.
Google’s Project Zero research team, however, decided to expand its reach and test the waters with one of its biggest OEM partners in Samsung, evaluating the security of the Galaxy S6 Edge.
“OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers,” Google researcher Natalie Silvanovich wrote Monday in a blog post.
Non-Nexus devices are at the mercy of handset makers and carriers, who sometimes are slow in pushing security updates to phones. The weeklong internal project resulted in the discovery of 11 high-impact vulnerabilities, all of which were reported to Samsung. All but three of the issues were patched in Samsung’s October maintenance release; the remaining three vulnerabilities are less severe, Google said, and are expected to be updated this month.
North American Project Zero members competed against their European counterparts in this exercise. Each side was given three challenges: gain remote access to data stored on the device such as contact information, photos and messages; gain access access to the same data from an app installed from Google Play with no permissions; and using the access gained in either of the first challenges, maintain persistence even if the device was wiped.
From the Google report:
“Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down. The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short.”
The researchers said SELinux, a fairly recent addition to Android, did present a significant roadblock to finding bugs and determining attack surface, as did the disabling of the setenforce command, which is used to switch between permissive and enforcing modes at runtime.
The researchers said a directory traversal vulnerability in the Samsung WifiJs20UtilityService was probably the most interesting. An API used to unzip zip files does not verify a file patch and it can be written in unexpected locations, Google said, adding that it was trivially exploitable with techniques used to exploit other similar vulnerabilities.
Researchers also found poor authentication in the Samsung Email client intent handler.
“An unprivileged application can send a series of intents that causes the user’s emails to be forwarded to another account. It is a very noisy attack, as the forwarded emails show up in the user’s sent folder, but it is still easy access to data that not even a privileged app should be able to access,” Google’s researchers said.
The Email client was also vulnerable to a script injection flaw that allows JavaScript embedded in a message to be executed in the client.
Three driver issues were also reported, buffer overflows that allow an attacker to escalate privileges and carry out other aspects of an attack. “These could be used by bugs in media processing, such as libstagefright bugs, to escalate to kernel privileges,” the researchers said.
The researchers were also able to find a handful of memory corruption issues in Samsung-specific image processing, triggered when images are opened in Samsung Gallery or merely downloaded, and allow privilege escalation in the Gallery app or media-scanning process.