Head of Oversecured, a company specializing in mobile application security, Sergey Toshin discovered many vulnerabilities in apps preinstalled on Samsung devices. These bugs can be used to spy on the user or gain complete control over the system.
Detailed information about the three vulnerabilities found has not yet been disclosed (due to the high degree of danger these bugs pose to users). Toshin explains that the least serious of these problems can help attackers steal the victim’s SMS messages if the user can be tricked.
The two remaining problems look even worse. Their operation does not require any action on the part of the user of the Samsung device at all. An attacker could exploit these vulnerabilities to read and write arbitrary files with elevated permissions.
“The exploitation of these errors could allow an attacker to access and edit the victim’s contacts, calls, SMS / MMS, install arbitrary applications with administrator rights, and read and write arbitrary files on behalf of the system user, which could change the device settings,” the expert writes.
It is not yet clear when patches will appear for these problems, but it usually takes about two months as developers need to test the patches and make sure they do not cause other problems.
Toshin reported bugs to Samsung and is currently awaiting reward. Since the beginning of 2021, the researcher has already earned about $ 30,000 for solving 14 problems in Samsung products alone.
The researcher was paid a reward of $ 20,690 for the seven bugs already fixed, and Toshin has now posted the technical details and PoC instructions for these bugs on the Oversecured blog.
The researcher found bugs in apps preinstalled on Samsung devices using the Oversecured scanner, which he created specifically to solve this problem. In February of this year, he notified the company of the problems, and also posted a video demonstrating how a third-party application gains administrator rights. However, that exploit had an unpleasant side effect: during the privilege escalation process, all other applications on the Android device were removed.
0day on all Samsung devices: installing third-party apps and providing them Device Admin rights (no permissions required). However, it also leads that all other apps are being deleted😂 pic.twitter.com/yjy2AsoWTU
— Sergey Toshin (@_bagipro) February 14, 2021
This vulnerability was patched in April 2021. It affected the Managed Provisioning application and now has the identifier CVE-2021-25356. Toshin received $ 7,000 for this vulnerability.
The researcher received another major award ($ 5,460) for sharing details with Samsung about the CVE-2021-25393 issue found in the Settings app. It allowed for read / write access to arbitrary files with system user privileges.
The third and most valuable vulnerability ($ 4850) from the February patch set allowed writing arbitrary files on behalf of a Telephony user who has access to information about calls and SMS / MMS messages.
In May, Samsung fixed most of these bugs, but Toshin writes that Samsung has fixed another set of seven bugs, which he also found in the bug bounty program. Those problems helped to gain read / write access to users’ contacts, access to the SD card and could be fraught with the leakage of personal information, including phone number, address and email.
During his career, Sergey Toshin has already discovered more than 550 vulnerabilities in various products, earning over a million dollars in rewards through the HackerOne platform and bug bounty of manufacturers.
Vulnerabilities in Samsung applications described in the blog:
- CVE-2021-25356 – bypassing third-party authentication in Managed Provisioning
- CVE-2021-25388 – installation of arbitrary applications via Knox Core
- CVE-2021-25390 – intent redirect to PhotoTable
- CVE-2021-25391 – intent redirect to Secure Folder
- CVE-2021-25392 – it is possible to access the DeX notification policy file
- CVE-2021-25393 – read / write arbitrary files as a system user in Settings
- CVE-2021-25397 – arbitrary recording of files via TelephonyUI
ProApk on Google News – http://bit.ly/pro-apk-google-news
ProApk on Telegram – http://t.me/proapk_in
ProApk on Twitter – http://twitter.com/xdapirates
ProApk on Facebook – http://bit.ly/pro-apk-facebook