September 12, 2021 4 min to read

SAMSUNG'S PRE-INSTALLED APPS , Are they spying?

Let's analyze the accusation through facts & figures !

Recently, the famous multinational South Korean conglomerate SAMSUNG, came into the limelight when one many flaws were detected in some of its pre-installed apps.

Renowned cybersecurity specialist Sergey Toshin, founder of mobile security company Oversecured, found around a dozen possible vulnerabilities in some of its(Samsung) signature mobile phones, most notably Samsung Galaxy Note 20.

Bug Bounty Program for the win !

These security flaws had been possible to detect because of the company’s BUG BOUNTY Program.

Bug Bounty Program are platforms where multinational corporations and companies provide an opportunity for Hackers , Developers and Tech Enthusiasts to find bugs, errors or possible vulnerabilities in their software , programs, websites or mobile apps(as in this case), with the potential of reward, as a sign of positive reinforcement in helping the company/organistaion.

After the discovery of these critical security flaws in the mobile’s pre-installed apps, it was clear that if these vulnerabilities were exploited, it could have led to many adversaries accessing our personal data without user’s consent and maybe taking total control of the device.

Spying or not ?

So, in a worst case scenario, we could say that we may be spyed or….. maybe not? Well, why is that?

“There have been no known reported issues globally and users should be assured that their sensitive information was not at risk. We addressed the potential vulnerability by developing and issuing security patches via software update in April and May 2021 as soon as we identified this issue,”

This was an official statement released by the Samsung as a response to all the news being spread about its spying apps.

So, then this leaves us with an ambiguity in this topic. Are we being spyed or not? The answer lies somewhere in the middle. Lets find out.

Ground Reality

The bugs are part of a larger set discovered and reported responsibly by the security researcher through the company’s bug bounty program.

“The impact of these bugs could have allowed an attacker to access and edit the victim’s contacts, calls, SMS/MMS, install arbitrary apps with device administrator rights, or read and write arbitrary files on behalf of a system user which could change the device’s settings,” -says Sergey Toshin, founder of mobile security startup Oversecured.

This means that, until we(users) have not updated your Samsung device, we will still be vulnerable to attack. Breaching an unpatched device means cybercriminals could also install malicious apps with administrator rights and change the device’s default settings.

In a blog post explaining each of the flaws, Oversecure said that:

“These vulnerabilities could have led to a GDPR violation, and we are delighted that we could help Samsung identify and fix these vulnerabilities in a timely manner.”

Security researcher Sergey Toshin’s 17 CVE

Sergey Toshin reported the specific flaws to Samsung in February 2021, following which patches were issued by the manufacturer as part of its monthly security updates for April and May.

As a reward for the flaws reported, he collected a whopping $30,000 since the start of the year. There were a total of 17 total vulnerabilities that were reported.

Out of the 17, seven of them are :

• CVE-2021-25356 - Third-party authentication bypass in Managed Provisioning
• CVE-2021-25388 - Arbitrary app installation vulnerability in Knox Core
• CVE-2021-25390 - Intent redirection in PhotoTable
• CVE-2021-25391 - Intent redirection in Secure Folder
• CVE-2021-25392 - Possible to access notification policy file of DeX
• CVE-2021-25393 - Possible to read/write access to arbitrary files as a system user (affects the Settings app)

• CVE-2021-25397 - Arbitrary file write in TelephonyUI

  Asecurity patch update : An update that is often pushed from a software developer to all the devices that have the software that needs the update. The purpose of a security patch update is to cover the security holes that a major software update or initial software download did not.

  CVE : Common Vulnerabilities and Exposures are a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that’s been assigned a CVE ID number.

The bug was patched in April. It impacted the Managed Provisioning App and now is tracked as CVE-2021-25356, thereby receiving $7000 for reporting followed by $5460 for the issue CVE-2021-25393 and another $4850 for CVE-2021-25397.

For more info about these CVE's and patches: [https://security.samsungmobile.com/securityUpdate.smsb](https://security.samsungmobile.com/securityUpdate.smsb)

WHAT CAN WE DO ABOUT IT?

If you haven’t updated your Samsung device, especially if its new, you must do so as soon as possible. Here’s how:

• Swipe down with two fingers from the top of the screen and tap the Settings icon.

• Swipe to and then tap Software update or System updates. It will vary between models.

• Tap Download and install, or Check for system updates. If an update is available it will begin downloading, though you may need to tap Download now on some devices. When the download is complete follow the on-screen instructions to install the update.

• You can set it up so that your device will download updates automatically, just tap the Auto download over Wi-Fi switch.