Samsung is scrambling to fix a number of high-risk security vulnerabilities which have been found to leave its smartphones dangerously exposed to hackers.
There aren’t too many details at present because of how serious these vulnerabilities are, but one of them which has yet to be fixed as of the time of this writing reportedly gives hackers a way to trick you into handing over access to your SMS text messages. Sergey Toshin, founder of Oversecured (which specializes in mobile app security), writes in a company blog post that “multiple dangerous vulnerabilities” have been found hiding in pre-installed apps on some Samsung devices. “The impact of these bugs could have allowed an attacker to access and edit the victim’s contacts, calls, SMS/MMS, install arbitrary apps with device administrator rights, or read and write arbitrary files on behalf of a system user which could change the device’s settings,” the Oversecured blog post notes.
According to Toshin, he’s come across more than a dozen vulnerabilities in Samsung devices since the start of the year, and while many have been addressed by the South Korea-based tech giant, there are still several that have not yet been fixed. For example, one of the bugs affected things like Samsung’s Secure Folder app, as well as Samsung’s Knox security software, which are pre-installed on the company’s devices.
These Samsung device vulnerabilities were reported by BleepingComputer, which noted that Toshin published a video in February related to one of the vulnerabilities — showing how a third-party app, via what was a zero-day exploit at the time, can obtain device administrator rights.
All of this offers yet another reminder to make sure you’re always running the latest software from your mobile device manufacturer, which will include the most recent security updates. BleepingComputer goes on to note that 14 of 17 issues that Toshin disclosed to Samsung have been fixed. One of the remaining three involves the SMS issue we noted above, while BleepingComputer adds that “The other two are more serious, though, as they are stealthier. Exploiting them requires no action from the Samsung device user. An attacker could use it to read and/or write arbitrary files with elevated permissions.”
It’s not clear at this point when fixes for these remaining problems will be pushed out to users. Among other things, the fix has to be tested to make sure it doesn’t inadvertently break other aspects of the device or software, causing unintended side effects, which is a process that can take a couple of months.
Related coverage: