Flaws in Samsung Phones Exposed Android Users to Remote Attacks

New research disclosed a string of severe security
vulnerabilities in the ‘Find My Mobile‘—an Android app that
comes pre-installed on most Samsung smartphones—that could have
allowed remote attackers to track victims’ real-time location,
monitor phone calls, and messages, and even delete data stored on
the phone.

Portugal-based cybersecurity services provider Char49 revealed its
findings^[1] on Samsung’s Find My
Mobile Android app at the DEF CON conference last week and shared
details with the Hacker News.

“This flaw, after setup, can be easily exploited and with severe
implications for the user and with a potentially catastrophic
impact: permanent denial of service via phone lock, complete data
loss with factory reset (SD card included), serious privacy
implication via IMEI and location tracking as well as call and SMS
log access,” Char49’s Pedro Umbelino said in technical
analysis.

The flaws, which work on unpatched Samsung Galaxy S7, S8, and S9+
devices, were addressed by Samsung after flagging the exploit as a
“high impact vulnerability.”

Samsung’s Find My Mobile^[2]
service allows owners of Samsung devices to remotely locate or lock
their smartphone or tablet, back up data stored on the devices to
Samsung Cloud, wipe local data, and block access to Samsung
Pay.

According to Char49, there were four different vulnerabilities
in the app that could have been exploited by a malicious app
installed on the targeted device, thus creating a man-in-the-disk
attack^[3] to hijack communication
from the backend servers and snoop on the victim.

The flaw stems from the fact the app checks for the presence of a
specific file on the device’s SD card (“/mnt/sdcard/fmm.prop”) in
order to load a URL (“mg.URL”), thus allowing a rogue app to create
this file that can be used by a bad actor to potentially hijack the
communications with the server.

“By pointing the MG URL to an attacker-controlled server and
forcing the registration, the attacker can get many details about
the user: coarse location via the IP address, IMEI, device brand,
API level, backup apps, and several other information,” Umbelino
said.

To achieve this, a malicious app installed on the device makes
use of an exploit chain that leverages two different unprotected
broadcast receivers
to redirect commands sent to Samsung’s servers from the Find My
Mobile app to a different server that’s under the attacker’s
control and execute malicious commands.
^[4]

The malicious server also forwards the request to the legitimate
server and retrieves the response, but not before injecting its own
commands in the server responses.

In doing so, a successful attack could allow a hacker to track
the device’s location, grab call data and text messages for spying,
lock the phone for ransom, and erase all data through a factory
reset.

Needless to say, the vulnerability is yet another indicator of
how an app that’s meant to safeguard users against information loss
can be susceptible to a number of flaws that can defeat the app’s
purpose.

“The FMM [Find My Mobile] application should not have arbitrary
components publicly available and in an exported state,” Umbelino
said. “If absolutely necessary, for example if other packages call
these components, then they should be protected with proper
permissions. Testing code that relies on the existence of files in
public places should be eliminated.”