An analysis from mobile security startup Oversecured showed that pre-installed apps in Samsung's Android devices contained seven critical security vulnerabilities, which could have provided hackers access and control to users' devices, reports The Hacker News.
Among the vulnerabilities are a third-party authentication bypass in Managed Provisioning, tracked as CVE-2021-25356; an arbitrary app installation flaw in Knox Core, tracked as CVE-2021-25388; intent redirection flaws in PhotoTable and Secure Folder, tracked as CVE-2021-25390 and CVE-2021-25391, respectively; a notification policy file flaw in DeX, tracked as CVE-2021-25392; an arbitrary read/write access flaw in the Settings app, tracked as CVE-2021-25393; and an arbitrary file write vulnerability in TelephonyUI, tracked as CVE-2021-25397.
"The impact of these bugs could have allowed an attacker to access and edit the victim's contacts, calls, SMS/MMS, install arbitrary apps with device administrator rights, or read and write arbitrary files on behalf of a system user which could change the device's settings," said Oversecured founder Sergey Toshin, who reported the vulnerabilities in February. Samsung addressed the flaws in its April and May security updates.
Among the vulnerabilities are a third-party authentication bypass in Managed Provisioning, tracked as CVE-2021-25356; an arbitrary app installation flaw in Knox Core, tracked as CVE-2021-25388; intent redirection flaws in PhotoTable and Secure Folder, tracked as CVE-2021-25390 and CVE-2021-25391, respectively; a notification policy file flaw in DeX, tracked as CVE-2021-25392; an arbitrary read/write access flaw in the Settings app, tracked as CVE-2021-25393; and an arbitrary file write vulnerability in TelephonyUI, tracked as CVE-2021-25397.
"The impact of these bugs could have allowed an attacker to access and edit the victim's contacts, calls, SMS/MMS, install arbitrary apps with device administrator rights, or read and write arbitrary files on behalf of a system user which could change the device's settings," said Oversecured founder Sergey Toshin, who reported the vulnerabilities in February. Samsung addressed the flaws in its April and May security updates.