An Oversecured security researcher has discovered more than a dozen vulnerabilities in preinstalled apps on Samsung smartphones. After successful attacks, attackers could compromise devices to a large extent. Samsung has not yet released security updates for all vulnerabilities.
No details for unpatched gaps
In a detailed blog post the security researcher provides information on the vulnerabilities. The classification of the degree of threat is still pending for the majority of the vulnerabilities. He also holds back details for three unpatched, according to him particularly dangerous loopholes, so that potential attackers do not get too much information. Samsung has not yet communicated when the updates will appear.
In general, we noticed on Galaxy smartphones that many Samsung inbox apps can only update themselves automatically if you are logged into the Galaxy Store with a Samsung account.
The security researcher reported the first vulnerabilities to Samsung in February 2021. It is not yet known which devices and Android versions are specifically affected.
Bug Bounty Rewards
The security researcher has pocketed cash rewards for reporting the loopholes to Samsung’s bug bounty program. He received the highest reward ($ 7,000) for the vulnerability (CVE-2021-25356) in the managed provisioning app. This is with the threat level “highIf an attacker successfully tackles the vulnerability, he could install his own apps with admin rights and delete other apps. Samsung states the vulnerability am Patchday im April to have closed.
By exploiting the other loopholes, attackers could, among other things, access saved contacts and the SD card and call up details of SMS messages. Some attacks are said to be successful without the intervention of victims. For some of these vulnerabilities, Samsung said it released updates on patch day in May.