Samsung Android phones have been discovered to have a security flaw that allows hackers to remotely control a phone over the Internet, and perform several tasks including locking and unlocking the device, finding its location on a map, displaying a customized message on the screen, and even wiping it without the owner being able to do anything about it. Furthermore, the security flaw could be used in more advanced hacks such as ransom attacks, The Register reports.
Researcher Mohamed Baset discovered a zero-day flaw in Samsung’s Find My Mobile feature, which should let users find their lost or stolen devices. However, it looks like Samsung isn’t checking where Find My Mobile requests come from, which means hackers can impersonate device owners.
The U.S. National Vulnerability Database acknowledged the hack, giving it a 7.8 out of 10 risk rating.
“The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic,” the agency said in an advisory notice.
Samsung has yet to address this particular security issue. A video showing the flaw being exploitedn, uploaded on YouTube by “Baset,” follows below.