Third-party app exploit reveals remote code attack vector on Samsung smartphones

Some recent security work on new Samsung smartphones will likely increase the pressure on manufacturers and carriers to dispense with preloading third-party apps. According to security researchers, they were able to figure out a way to deliver a payload capable of executing remote code via the Swift keyboard app that comes pre-installed on new Samsung devices. The vulnerability gives an attacker the ability to run code as a system user, one step shy of being root, and can be launched without input from the device’s user. 

The researchers determined that Samsung, and likely other manufacturers, are running third-party apps like keyboards from a privileged context. To make this happen, apps are getting signed with manufacturer’s private signing keys. This opens the path to upstream attacks that can be triggered by events like a device reboot or an application update – any event that cause the app to go out on the Internet looking for a new file. The researchers note that attacks could be constructed using rogue Wi-Fi access points, via local area networks, or even something like DNS hijacking.

As many smartphone buyers are aware, many of the apps that end up installed on a device, including third-party apps, cannot be uninstalled and in some cases, they cannot even be disabled. Such is the case with the Swift keyboard, although they are not alone in that position and obviously, Swift did not make that decision. Sadly, the researchers can only suggest avoiding insecure Wi-Fi networks to reduce risks and to possibly use a different mobile device. More help could be forthcoming if users start contacting their carriers for information on patches or updates to address the security weakness that has been identified.

source: NowSecure

Come comment on this article: Third-party app exploit reveals remote code attack vector on Samsung smartphones