Hackers can exploit bugs in Samsung pre-installed apps to spy on users

Samsung is working on patching multiple vulnerabilities affecting its mobile devices that could be used for spying or to take full control of the system.

The bugs are part of a larger set discovered and reported responsibly by one security researcher through the company’s bug bounty program.

Serious issues on Samsung devices

Since the beginning of the year, Sergey Toshin - the founder of Oversecured company specialized in mobile app security, found more than a dozen vulnerabilities affecting Samsung devices.

For three of them, the details are light at the moment because of the high risk they pose to users. Without getting into particularities, Toshin told BleepingComputer that the least severe of these issues could help attackers steal SMS messages if they trick the victim.

The other two are more serious, though, as they are stealthier. Exploiting them requires no action from the Samsung device user. An attacker could use it to read and/or write arbitrary files with elevated permissions.

It is unclear when the fixes will be pushed to the users, because the process typically takes about two months due to various testing of the patch to make sure that it does not cause other problems

Toshin reported all three security vulnerabilities responsibly and is currently waiting to receive the bounties.

17 issues responsibly disclosed

From Samsung alone, the hacker collected close to $30,000 since the start of the year, for disclosing 14 issues. The other three vulnerabilities are currently waiting to be patched

For seven of these already patched bugs, which brought $20,690 in bounties, Toshin provides technical details and proof-of-concept exploitation instructions in a blog post today.

The hacker discovered the bugs in pre-installed apps on Samsung devices using the Oversecured scanner that he created specifically to help with the task.

He reported the flaws in February and also published a video demonstrating how a third-party app obtained device admin rights. The exploit, a zero-day at the time, had an unwanted side effect, though: in the process of getting elevated privileges, all other apps on the Android phone were deleted.

The bug was patched in April. It impacted the Managed Provisioning app and is now tracked as CVE-2021-25356. The hacker received $7,000 for reporting it.

Toshin received another hefty bounty ($5,460) for sharing details with Samsung about an issue (CVE-2021-25393) in the Settings app that allowed gaining read/write access to arbitrary files with privileges of a system user.

The third best paid ($4,850) vulnerability from this February batch allowed writing arbitrary files as a Telephony user, which has access to call details and SMS/MMS messages.

Samsung patched most of these flaws in May. However, Toshin told BleepingComputer that Samsung also patched another set of seven bugs that he disclosed through the company’s bug bounty program.

These carried risks like reading/writing access to user contacts, access to the SD card, and leaking personal information like phone number, address, and email.

Users are advised to apply the latest firmware updates from the manufacturer to avoid potential security risks.

Toshin reported more than 550 vulnerabilities in his career, earning over $1 million in bug bounties, through the HackerOne platform and various bug bounty programs.