Modernizing Authentication — What It Takes to Transform Secure Access
All of the vulnerabilities, Paleari says, were caused by Samsung's Android customizations. "I would like to stress ... that these issues are not caused by bugs inside the 'vanilla' Android system, but are all caused by Samsung-specific software and customizations," he writes.
Paleari says he reported the vulnerabilities to Samsung on January 17, but never received any indication from Samsung that they intendedto patch the flaws. The only response he's received, he says, was that they're still "in the process of checking for the vulnerabilities."
In all cases, Paleari says, no specific Android privileges are required for the attacks to succeed, meaning that malicious code could easily be concealed in a seemingly benign application with limited privileges.
Two of the vulnerabilities can be leveraged to install highly-privileged applications with no user interaction. One vulnerability allows an attacker to send SMS messages without permission, and another vulnerability can be used to perform just about any action on the device, including placing phone calls and sending e-mails and SMS messages. The remaining two vulnerabilities allow attackers to change device settings, including network settings, without the user's consent.
"The ability to silently install privileged applications or to send SMS messages are quite appealing tasks for mobile malware authors and, to make things even worse, most of the issues I reported to Samsung are also pretty easy to find," Paleari writes. "As a consequence, I won't be surprised to find some malware in the wild that exploits these or similar vulnerabilities."