Holes in Samsung Android Devices

Friday, March 22, 2013 @ 03:03 PM gHale

Tired of waiting for Samsung to fix a string of critical flaws in their Android smartphones, a researcher decided to go public with the vulnerability.

The vulnerabilities will present problems to users, so Italian security researcher Roberto Paleari decided not to share any technical details, but just give a broad overview of what their misuse would allow:
• A silent installation of highly-privileged applications with no user interaction
• SMS sending and changing of various phone settings without the app requiring the permission to do so
• An app performing almost any action on the victim’s phone.

Improved Malware Targets Android
Free Android Malware Testing Tool
BYOD Policies Lacking
Cold Snap Unlocks Androids

“All these issues were caused by Samsung-specific software or customizations,” he said. “All the vulnerabilities I reported can be exploited from an unprivileged local application. In other words, no specific Android privileges are required for the attacks to succeed. This allows attackers to conceal the exploit code inside a low-privileged (and apparently benign) application, distributed through Google Play or the Samsung Apps market.”

Samsung told Paleari that “any patches [Samsung] develops must first be approved by the network carriers.”

Along those lines, UK blogger Terence Eden demonstrated another lock screen bypass flaw he found on Samsung Android phones, which allows anyone to completely disable the lock screen and get access to any app.

The lock screen bypass flaw he discovered earlier this month has still not been patched by Samsung, but the mobile security firm, Bkav, released a patch that not only fixes the flaw, but also takes a photo of anyone trying to misuse the flaw and emails it to the phone’s owner.

Leave a Reply

You must be logged in to post a comment.