Android How to Malware

Samsung Flagship Galaxy S6 Edge hacks – Found by Google

s6edge+-touchviz2

Recently, Project Zero researched a popular Android phone, the Samsung Galaxy S6 Edge and found 11 high security Bugs in the Smartphone.

As every one knows, Most Smartphone manufacturers use Android Open Source Project – AOSP. Google THree Teams were actively working on this Project for almost a week and found certain issues .

Each team worked on three challenges, which we feel are representative of the security boundaries of Android that are typically attacked. They could also be considered components of an exploit chain that escalates to kernel privileges from a remote or local starting point.

  • Gain remote access to contacts, photos and messages. More points were given for attacks that don’t require user interaction, and required fewer device identifiers.
  • Gain access to contacts, photos, geolocation, etc. from an application installed from Play with no permissions
  • Persist code execution across a device wipe, using the access gained in parts 1 or 2

The Major 11 Threats are listed below. Though, I could not understand much from the listing, but decided to share with the users. Most of the  issues were found in device drivers and image processing, and there were also some logic issues in the device that were high impact and easy-to-exploit.

  1. Samsung WifiHs20UtilityService path traversal  – CVE-2015-7888
    It is a directory traversal bug that allows a file to be written as system. There is a process running a system on the device that scans for a zip file in /sdcard/Download/cred.zip and unzips the file. Unfortunately, the API used to unzip the file does not verify the file path, so it can be written in unexpected locations.
  2. Samsung SecEmailComposer QUICK_REPLY_BACKGROUND permissions weakness – CVE-2015-7889
    It is a lack of authentication in one of the client’s intent handlers. An unprivileged application can send a series of intents that causes the user’s emails to be forwarded to another account. It is a very noisy attack, as the forwarded emails show up in the user’s sent folder, but it is still easy access to data that not even a privileged app should be able to access.

  3. Samsung SecEmailUI script injection – CVE-2015-7893
    This issue allows JavaScript embedded in a message to be executed in the email client. It is somewhat unclear what the worst-case impact of this issue is, but it certainly increases the attack surface of the email client, as it would make JavaScript vulnerabilities in the Android WebView reachable remotely via email.

  4. Driver Issues – CVE-2015-7890 – 91 – 92
    These could be used by bugs in media processing, such as libstagefright bugs, to escalate to kernel privileges. CVE-2015-7891, found by Lee Campbell of the Chrome Security Team is a concurrency issue, leading to memory corruption in a driver that could be used to escalate from any unprivileged application or code execution to kernel.
  5. Image Parsing Issues – CVE-2015-7894 – 95 – 96 – 97 – 98
    They allow escalation to the privileges of the Samsung Gallery app or the media scanning process.

  6. Severity and Mitigations 
    The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short.

Though Samsung has fixed almost every issue except 3, of which Samsung is still working.

 

Issue
Status
CVE-2015-7888
Fixed
CVE-2015-7889
Fixed
CVE-2015-7890
Fixed
CVE-2015-7891
Fixed
CVE-2015-7892
Fixed
CVE-2015-7893
Unfixed
CVE-2015-7894
Fixed
CVE-2015-7895
Unfixed
CVE-2015-7896
Fixed
CVE-2015-7897
Fixed
CVE-2015-7898
Unfixed

Source : Google Project Zero

About the author

Profile photo of Rakesh Bhatia

Rakesh Bhatia

Leave a Comment

Powered by keepvid themefull earn money