Samsung made a rookie mistake in letting a domain expire that controlled a core app for Galaxy smartphones, according to a security researcher; thus opening the door on millions of devices for hackers.
Older Samsung smartphones have a stock app called S Suggest installed on them—and while the company discontinued S Suggest in 2014, there are still plenty of devices in use today that have it. João Gouveia, the CTO at Anubis Labs, told Motherboard that he observed 620 million connections to the domain from around 2.1 million unique devices in just 24 hours.
He observed that traffic because he was able to register and take over the ssuggest.com domain that controls the app. He thus effectively gained the ability to push malware to those millions of smartphones. He didn’t, of course—but he said that he could have.
"Someone with bad intentions could have grabbed that domain and done nasty things to the phones," Gouveia told the outlet, noting that S Suggests contains permissions for rebooting the phone remotely and installing apps or packages.
"Over the years, researchers have found many instances of expired domains still figuring in live code, which has the potential to give attackers various kinds of dangerous unauthorized access,” said Tim Helming, director of product management at DomainTools, via email. “Considering the low cost of registering domains (I'd guess that Samsung spends more annually on little red coffee stirrers than it would have cost to renew this domain for ten years or more), something like this should never occur because of an intentional decision. If it was a mistake, it highlights the importance of managing domain registrations. In some cases, a lapse can be merely embarrassing or inconvenient, but since so many critical systems rely on communications to domains, it's vital to retain positive control of them."
Samsung itself denies the characterization, and said that control of the domain "does not allow you to install malicious apps, it does not allow you to take control of users' phones."
But Ben Actis, an independent security researcher, backed up Gouveia’s assessment. "The app can definitely install other apps,” he told Motherboard. "Someone malicious could install whatever they wanted."
The news comes not long after the Korean giant caught negative ink for its Tizen operating system, in which a security researcher reportedly found as many as 40 zero-day bugs in it. Amihai Neiderman of Equus Software, said that it’s riddled with remote code execution flaws.
"Everything you can do wrong there, they do it,” he said. “You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."