Paleari discovered the issues while taking a look at the inner workings of some Samsung devices, focusing on the manufacturer's customizations to the Android system. “I soon started to find some exploitable bugs, affecting both old device models (e.g., my Galaxy Tab GT-P1000) and newer devices (e.g., my Galaxy S3),” he noted. “All these issues were caused by Samsung-specific software or customizations,” not anything within the Google Android OS itself.
All of the vulnerabilities can be exploited without requiring specific Android privileges; thus, attackers can conceal the exploit code inside a low-privileged application, distributed through Google Play or the Samsung Apps market.
Two different vulnerabilities can be exploited to silently install highly privileged applications with no user interaction. “The privileged applications to be installed can be embedded right inside the unprivileged application package, or downloaded on the fly from an online market,” Paleari explained, in his blog.
A third issue allows attackers to send SMS messages without requiring any Android privilege – normally, Android applications are required to have the “android.permission.SEND_SMS” permission to perform that task.
An additional vulnerability can be used to silently perform almost any action on the victim's phone, ranging from placing phone calls to sending e-mails, SMS messages and so on. The remaining security issues allow attackers to change other settings of the victim's phone, such as networking or internet settings, without the user's consent.
“The ability to silently install privileged applications or to send SMS messages are quite appealing tasks for mobile malware authors and, to make things even worse, most of the issues I reported to Samsung are also pretty easy to find,” Paleari said. “As a consequence, I won't be surprised to find some malware in the wild that exploits these or similar vulnerabilities.”
Unfortunately, a patch may be some time in coming. In January Paleari gave the Korean CE giant “all the technical details and proof-of-concepts for the six vulnerabilities I found, plus some bonus denial-of-services and info leaks.” However, a month later Samsung asked him to delay public disclosure until proper patches were developed, adding that "any patches [Samsung] develops must first be approved by the network carriers.” He said that he has not received additional confirmation since that communication.
“Waiting until (all?) the network carriers approve a security patch seems to be a very, VERY, long time!” he said. He added, “Considering that most of these bugs can be fixed quite easily, without any drastic change to the device software, I admit that I was expecting a quick patch from Samsung. However, two months were not enough even to start the development of a security fix, and I don't think any patch will be released anyway soon.”
Samsung has been facing other security issues for its mobile devices as well. A vulnerability that allows someone with physical access to Samsung phones running Android 4.1.2 or above to bypass the lock screen is one. Users can press the “emergency call” and the “in case of an emergency” (ICE) contact list buttons and hold down the home button at the same time, to cause the device’s home screen to pop up. From there a user can touch an app and gain access to it. The vulnerability is still unpatched.
In December, Galaxy S III and Galaxy Note II smartphones were found to be vulnerable to app-based attacks thanks to a security flaw in the devices’ Exynos 4 processors. Samsung rectified the flaw earlier this year.