After a team exploited iOS 9 vulnerabilities, remotely hacked Apple devices and earned $1 Million earlier this week the time has come for and Android device.
Recently Google conducted a research on Samsung Galaxy S6 Edge and reported 11 security flaws that might allow hackers to overtake device and one of them even lets an attacker write any file to the victim’s system without permission.
The most of the Android devices are manufactured by different companies than Google. Original Equipment Manufacturers or OEMs are using Android Open-Source Project (AOSP) as the foundation for their handheld gadgets, therefore they represent a sensitive area for Android cyber security.
Google on Samsung Galaxy S6 Edge
Google’s Project Zero decided to dig dipper in Samsung Galaxy S6 Edge security and was divided into two groups, North America and Europe. There were 3 objectives for each team:
- Gain remote access to contacts, photos, and messages. More points were given for attacks that don’t require user interaction and required fewer device identifiers.
- Gain access to contacts, photos, geolocation, etc. from an application installed from Play with no permissions
- Persist code execution across a device wipe, using the access gained in parts 1 or 2
As a result, 11 main security flaws have been discovered. Below you can see the most important discoveries according to Project Zero.
Samsung WifiHs20UtilityService path traversal
The directory traversal bug, discovered by Mark Brand, allows a hacker to write a file as a system. Samsung Galaxy S6 Edge uses a process that scans for a file in /sdcard/Download/cred.zip and unzips it. Since the API does not have the capability to verify the real file path it may be written in other locations. The bug can be exploited using this method.
Samsung SecEmailComposer QUICK_REPLY_BACKGROUND permissions weakness
As you might have already guessed from the title it is an Email Client bug. Samsung Email Client lacks the authentication capabilities in the intent handler of the client. A malicious application can send a chain of intents in order to forwards legitimate user’s emails to any other account. This flaw was discovered by James Forshaw
Samsung SecEmailUI script injection
Yes, there is another Email security flaw, which James Forshaw discovered with Matt Tait, allowing attackers to embedded JavaScript into a message that is then executed by the Samsung Email Client. According to Project Zero:
It is somewhat unclear what the worst-case impact of this issue is, but it certainly increases the attack surface of the email client, as it would make JavaScript vulnerabilities in the Android WebView reachable remotely via email.
For information about other bugs please head to CVEs:
Driver Bugs
Image Parsing