Although these days I use an iPhone as my primary smartphone device, I do own a Samsung Galaxy Note 10+ 5G for backup and burner usage. If you own a Samsung smartphone, running a broad sweep of Android versions from 9 through 12, I have some good and bad news for you. Serious, and seriously shocking, security news at that.
Researchers at Kryptowire have this week published a report detailing how they discovered a serious high-severity vulnerability in the pre-installed Phone app across multiple models that could enable a hacker to take control of your phone. What sort of control? Well, the researchers said, everything from a factory reset and making calls to installing, or deleting, apps. All of this by an unauthorized user if the victim had installed any third-party app that was tweaked to “mimic system-level activity and hijack critical protected functionality,” according to the Kryptowire report.
The bad news for Samsung smartphone users in more detail
The Kryptowire chief technical officer, Alex Lisle, posed the question, “ever think someone else has access to your phone?” Here’s the unwelcome news by way of his answer: “unfortunately, you may be right.” The high-severity vulnerability, CVE-2022-22292, that the Kryptowire researchers discovered was every bit as shocking as Lisle made it sound.
The Phone app, pre-installed on Samsung smartphones, was found to have an insecure component that essentially gave local apps, apps without system-level privileges, the ability to perform such privileged operations anyway without user authorization.
In the full, technical, report on this shocking Samsung security faux pas, the researchers say that devices running any version of Android between 9 and 12 were impacted. There were some differences between how versions 10 to 12 could be exploited compared to version 9, but the result was the same: a compromised smartphone without the user knowing it.
Although the full extent as to which Samsung smartphones were vulnerable to this attack methodology remains unknown, the researchers were able to demonstrate an exploit using a Samsung Galaxy S21 Ultra 5G with the most recent Android 12 build, for example. A Samsung Galaxy S10 + and Samsung A10e were also used during the compromise testing. A Samsung Galaxy S8, running Android 8, however, was found not to be vulnerable. The bad news being, then, if you have pretty much any Samsung smartphone running Android version 9 onwards this vulnerability is likely to have been present.
I approached Samsung for an official statement but at the time of publication had yet to receive a reply.
And now here’s the good news
It’s not all bad news: full details of CVE-2022-22292 were disclosed to Samsung on November 27, 2021, and a patch was made available as part of the February 2022 security maintenance release program.
Assuming that your device has been updated to show a security patch level of February 2022 or later you are protected. Not everyone will have updated, or been able to update, their device though. Mea culpa, my own Galaxy Note 10+ was lagging behind in this regard as I hadn’t used it for a couple of months. So, please do make sure to check your devices are up to date. You can do this by heading into your smartphone settings menu and selecting About Phone | Software Information then scrolling down to Android security patch level.