A number of flaws have been found in Samsung's Android handsets that allow an attacker to manipulate the privilege the device assigns to its apps, and access the victim's emails among other threats. Another vulnerability reported separately, makes it a child's play to bypass the Factory Reset Protection on Samsung phones and claim ownership of the device. Samsung has a patched majority of the vulnerabilities.
Google researchers found 11 vulnerabilities in Samsung's code used in the Galaxy S6 Edge that, if exploited, allow an attacker to target various aspects of the handset. Among those vulnerabilities, one is a path traversal vulnerability in Samsung's WifiHs20UtilityService. The service is programmed to scan for Zip archive file in a predefined location on the storage partition and extract it. The vulnerability can be exploited to make system files unpack in an unintended location.
Another notable vulnerability was found in the SecEmailCompose service that handles Samsung's email client. The vulnerability can be exploited to cause a user's email to be forwarded to another account. "It is a very noisy attack, as the forwarded emails show up in the user's sent folder, but it is still easy access to data that not even a privileged app should be able to access," the researchers explained.
Other vulnerabilities were found in the drivers of the Galaxy S6 Edge, and the company's handler that processes images. These can be exploited by an attacker to manipulate their privileges.
"Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down. The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short," the researchers wrote in a blog post.
The researchers noted that Samsung has patched the path traversal, the vulnerability that affected the email client, and six more flaws. It is not known when Samsung will fix the other three vulnerabilities, and whether it has rolled out the patch to the Galaxy S6 Edge handset yet.
A separate vulnerability demonstrated by security enthusiast RootJunky shows that it is surprisingly easy to bypass the Factory Reset Protection feature on the Galaxy Note 5 (and other Samsung-made Android handsets). By default, Google's Android software requires the registered Gmail address to be logged when a user reboots the device from recovery menu. The idea is to make it impossible for thieves to steal your phone, wipe it, and claim ownership of it.
Samsung has altered the process a little. It pulls up a file manager when the device is plugged into an external storage device. A user can bypass the security by opening a file and triggering Settings app. We've reached out to Samsung for comments.