Attackers have long had an affinity for having their way with Android phones, but the hammer seems to have really come down over the last few months when it comes to devices manufactured by Samsung.
Independent Italian researcher Roberto Paleari discussed several bugs he recently found in Samsung Android phones in a post on his blog yesterday. Paleari claims that after taking some time to sit down with some of his devices, he found six exploitable bugs on older devices such as the Galaxy Tab and the newer Galaxy S3.
All of the vulnerabilities can be exploited without privilege and according to Paleari, stem from “Samsung-specific software and customizations.” Paleari said two of the vulnerabilities can be used to silently install highly privileged applications without user interaction while another allows attackers to send SMS messages without permission. Paleari claims another vulnerability can allow an attacker to silently perform “almost any action” on a victim’s phone, whether it’s placing phone calls, sending emails or SMS messages. The last vulnerability can allow attackers to change settings on another user’s phone, including networking or Internet settings without the owner’s permission.
Paleari included a proof-of-concept video for the first exploit alongside his blog entry:
Paleari said he informed Samsung in mid-January shortly after he found the bugs and still hasn’t heard from the South Korean company about a fix. Instead, Paleari writes that Samsung did contact him on Feb. 20 and requested he delay public disclosure, insisting that “any patches [Samsung] develops must first be approved by the network carriers.”
Network carriers have come under fire for their slow release of security patches for Android devices. Activist Chris Soghoian recently did a talk at the Kaspersky Security Analyst Summit where he explained how it’s the carriers not Google that are responsible for pushing updates. Carriers, he said, would rather consumers buy the next generation of a phone than invest in pushing updates. In late February, the U.S. Federal Trade Commission came down hard on mobile hardware manufacturer HTC America. HTC was reprimanded for its lack of patches for its devices, as well as for shoddy secure development practices. As part of a settlement, HTC must overhaul its security operations.
In his blog, Paleari said Samsung’s increased market share makes it a popular target for vulnerability research.
The vulnerabilities follow news this week that there’s yet another passcode bypass flaw on Samsung devices. Terence Eden, a UK mobile researcher found a similar flaw earlier this month on devices running Android 4.1.2 that could allow unauthenticated users access to locked phones.
The latest flaw – also tested on 4.1.2 and discovered by Eden – lets attackers disable the lock screen and access any app. Unlike his previous bypass flaw however, Eden notes the most recent flaw “doesn’t rely quite so heavily on ultra-precise timing.” This flaw relies on manipulating the phone’s emergency call feature to dial a fake number and gain access to Google’s Play marketplace. After a fake number is dialed, the lockscreen shows the phone’s home screen and gives users a split second to click icons before it locks up again. Once in Google Play, there are a handful of apps on the marketplace that can disable screen locks, granting an attacker full access. As long as the attacker has physical access to a user’s phone, he can easily break in and with a few well-executed clicks, gain access.
While Samsung failed to promptly respond to a request for comment for both Paleari and Eden’s vulnerabilities when asked Wednesday, Eden claims the company has informed him its working on a patch for his issue that “will be released shortly.”