Based on recent reports, Android security vulnerabilities are a dime a dozen. Mobile security research firm, Kryptowire, has now detailed a vulnerability among Samsung smartphones running software versions ranging from Android 9 to Android 12.
The research firm uncovered the security vulnerability during what it calls the Kryptowire Mobile Application Security Testing (MAST). The test found that this vulnerability permitted local apps “to mimic system-level activity and ‘hijack’ critical protected functionality,” Kryptowire said.
After gaining access to the device in this fashion, the attacker could theoretically carry out a factory reset, remove/install apps, or even make phone calls. This vulnerability also allows the attacker to weaken HTTPS security via weaker root certificates. This serious security flaw is listed under CVE-2022-22292. Moreover, the research firm first alerted Samsung of the bug on November 27, 2021. Samsung internally classified this vulnerability under “High” severity.
Samsung fixed this bug with the February 2022 security patch
Fortunately, this vulnerability is no longer a concern for Samsung device owners. The company sent out a fix with the February 2022 Security Maintenance Release (SMR). The vulnerability reportedly emerged from the default Phone app on Samsung devices (Android 9-12). An “insecure component” within the app reportedly allows locally installed apps to perform “privileged operations” without authorization.
“As points of vulnerability and associated threats increase, a proactive security posture represents the most reliable way to protect personal and corporate data from bad actors – criminals who stand increasingly more to gain, and whose methods are becoming increasingly sophisticated,” the research firm said.
Samsung recently found itself in trouble over the Dirty Pipe vulnerability (CVE-2022-0847) that affected devices in the Galaxy S22 lineup. Thankfully, the company has since fixed this particular security flaw with the recent April 2022 SMR. Samsung has been ahead of the curve in terms of timely security updates, so this isn’t particularly surprising.
The same bug also impacts the Google Pixel 6 series. However, there’s hope that it’s fixed with the recent April 2022 security update for Pixels. This security update is also rolling out to the Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a 5G, Pixel 5, and the Pixel 5a.