Roberto Paleari was looking into the inner workings of Samsung devices and detected a series of exploits. How serious are these exploits? He’s noted four separate securityissues:
- 1.Two different vulnerabilities can be exploited to silently install highly-privileged applications with no user interaction. The privileged applications to be installed can be embedded right inside the unprivileged application package, or downloaded "on the fly" from an on-line market.
- 2. Another issue, different from the previous ones, allows attackers to send SMS messages without requiring any Android privilege (normally, Android applications are required to have the android.permission.SEND_SMS permission to perform this task).
- 3. An additional vulnerability can be used to silently perform almost any action on the victim’s phone, ranging from placing phone calls to sending e-mails, SMS messages, and so on.
- 4.The remaining security issues allow attackers to change other settings of the victim’s phone, such as networking or Internet settings, without the user’s consent.
He’s even put together a proof of concept app and recorded it so you can see the first one in action:
So what do you do with information like this? He reported it to Samsung. And what have they done with it? Nothing. He noted that he first made this report in January and while fixes are relatively simple none have been made. You can read all of the details here but considering how many ads that are playing about Samsung security you would think they actually took it seriously.