Researcher points out critical Samsung Android phone vulnerabilities
Posted on 21 March 2013.
Tired of waiting for Samsung to fix a string of critical flaws in their smartphones running Android, Italian security researcher Roberto Paleari has decided to inform the public about the seriousness of the matter and maybe make the company pick up the pace.


Mindful of the danger that the vulnerabilities present to the users if they are exploited by malicious individuals, he decided not to share any technical details, but to just give a broad overview of what their misuse would allow:
  • a silent installation of highly-privileged applications with no user interaction
  • SMS sending and changing of various phone settings without the app requiring the permission to do so
  • an app performing almost any action on the victim's phone.
"All these issues were caused by Samsung-specific software or customizations," he noted. "All the vulnerabilities I reported can be exploited from an unprivileged local application. In other words, no specific Android privileges are required for the attacks to succeed. This allows attackers to conceal the exploit code inside a low-privileged (and apparently benign) application, distributed through Google Play or the Samsung Apps market."

He admits at being surprised at the length of time it takes for Samsung to patch the vulnerabilities, especially because he believes they are easily fixed. The company replied to him that "any patches [Samsung] develops must first be approved by the network carriers."

In the meantime, UK blogger Terence Eden has demonstrated another lock screen bypass flaw he found on Samsung Android phones, which allows anyone to completely disable the lock screen and get access to any app.

The lock screen bypass flaw he discovered earlier this month has still not been patched by Samsung, but Bkav has released a patch that not only fixes the flaw, but also takes a photo of anyone trying to misuse the flaw and emails it to the phone's owner.

UPDATE (March 22): Bkav has developed a patch for the Samsung lock screen flaw disclosed by Eden.









Spotlight

Leveraging network intelligence and deep packet inspection

Posted on 26 November 2014.  |  Tomer Saban, CEO of WireX Systems, talks about how deep packet inspection helps with identifying emerging threats, the role of network intelligence, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Nov 27th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //