​Google finds severe holes in Galaxy S6 Edge, some remotely exploitable

Google security researchers put Samsung's Galaxy S6 Edge through its paces over one week and found major flaws in Android code added by the Korean company.
Written by Liam Tung, Contributing Writer
Google's Project Zero team said other Samsung devices, apart from the flagship Galaxy S6 Edge, may be affected by a file-write vulnerability.
Image: Samsung

Google's team of elite hackers at Project Zero has discovered 11 "high-impact" security flaws in Samsung's Galaxy S6 Edge.

Samsung's flagship device is just the latest target in the group's sights. As well as having probed several antivirus products and even Android itself, they had previously poked around in Windows and found serious bugs.

The most significant of the 11 bugs affecting the Galaxy S6 Edge was spotted by Project Zero researcher Mark Brand, who in late July told Samsung about a directory traversal bug in the device's WifiHs20UtilityService. The service scans for a zip file in /sdcard/Download/cred.zip and unzips it.

"Unfortunately, the API used to unzip the file does not verify the file path, so it can be written in unexpected locations," explained Project Zero member Natalie Silvanovich.

What makes it dangerous is that the "file-write vulnerability can be triggered by browsing to a website without any user interaction", Google notes in the Project Zero bug database. The type of attack, otherwise known as a drive-by download, is commonly employed against desktop browsers.

Additionally, the method Brand used was borrowed from similar attacks on Samsung phones disclosed publicly in July, meaning other hackers may be able to achieve the same.

Google tested the attack against a Verizon S6 Edge with model number SM-G925V, running a version of Android 5.0 Lollipop the carrier pushed out in early June.

According to Google, Samsung has addressed the bug through an SELinux policy update. But it also notes that other Samsung device models may also be running WifiHs20UtilityService.

Another high-severity bug affecting Samsung's email client was easy to exploit, according to Google. A service used to support quick replies lacked authentication, allowing an unprivileged application to potentially gain access to email content.

"An unprivileged application can send a series of intents that causes the user's emails to be forwarded to another account. It is a very noisy attack, as the forwarded emails show up in the user's sent folder, but it is still easy to access data that not even a privileged app should be able to access," noted Silvanovich.

Details of the remaining bugs can be found on Project Zero's blog and its database of closed flaws.

Project Zero gives vendors 90 days to fix bugs it reports, after which the group publishes detailed information about the flaw. The idea is to push vendors to fix bugs sooner rather than later.

So why pick on Samsung's flagship handset, especially given its recent decision to follow Google's monthly patch cycle for Android?

Samsung is of course the largest Android OEM, making it the most significant brand that builds its devices on the Android Open Source Project. And OEMs are important due to their shared responsibility with Google in ensuring Android devices overall remain secure.

As a recent study showed, some 87 percent of Android handsets were vulnerable to at least one publicly-known flaw, largely because OEMs failed to deliver patches to end users. It also found Google and LG were far better at patching their respective handsets than Samsung, HTC and Asus.

"OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers," said Silvanovich.

Given the importance of OEMs, Google decided to focus on its biggest Android partner's flagship, setting up a contest between North American and European members of Project Zero to see who could dig up the most in a single week. Each team had five participants and the contest was also open to other Google security teams, such as the one working on Chrome.

The challenge the teams were tasked with was to find "components of an exploit chain that escalates to kernel privileges from a remote or local starting point" and they were awarded points based on factors that would make a bug more severe.

These factors included gaining remote access to contacts, photos, and messages, with more points given for attacks, such as the drive-by attack found by Brand.

Other goals were to gain access to contacts and content from an app install from Google Play that didn't have permissions, as well as to ensure code execution persisted across a device wipe.

"A week later, we had the results. A total of 11 issues were found in the Samsung device," Silvanovich said.

The good news for Galaxy S6 Edge owners -- and a promising sign that Samsung is taking patching more seriously -- is that eight of the bugs are in an OTA update, while three lower severity bugs remain unfixed.

Read more

Editorial standards