Although these days I use an iPhone as my primary smartphone device, I do still own a Samsung Galaxy Note 10+ 5G for backup and burner usage. If you own a Samsung smartphone, running a broad sweep of Android versions from 9 through 12, I have some good and bad news for you. Serious, and seriously shocking, security news at that.
Researchers at Kryptowire have this week published a report detailing how they discovered a serious high-severity vulnerability in the pre-installed Phone app across multiple models that could enable a hacker to take control of your phone. What sort of control? Well, the researchers said, everything from a factory reset and making calls to installing, or deleting, apps. All of this by an unauthorized user if the victim had installed any third-party app that was tweaked to “mimic system-level activity and hijack critical protected functionality,” according to the Kryptowire report.
The bad news for Samsung smartphone users in more detail
The Kryptowire chief technical officer, Alex Lisle, posed the question, “ever think someone else has access to your phone?” Here’s the unwelcome news by way of his answer: “unfortunately, you may be right.” The high-severity vulnerability, CVE-2022-22292, that the Kryptowire researchers discovered was every bit as shocking as Lisle made it sound.
The Phone app, pre-installed on Samsung smartphones, was found to have an insecure component that essentially gave local apps, apps without system-level privileges, the ability to perform such privileged operations anyway without user authorization.
In the full, technical, report on this shocking Samsung security faux pas, the researchers say that devices running any version of Android between 9 and 12 were impacted. There were some differences between how versions 10 to 12 could be exploited compared to version 9, but the result was the same: a compromised smartphone without the user knowing it.
Although the full extent as to which Samsung smartphones were vulnerable to this attack methodology remains unknown, the researchers were able to demonstrate an exploit using a …….