Google’s Project Zero security team recently examined Samsung’s Galaxy S6 Edge and found 11 “high-impact” security vulnerabilities, several of which could be used to steal user data or potentially take control of the device. Fortunately, the bugs described as having the highest potential for exploitation have been already patched by Samsung.
While Google is primarily responsible for maintaining the Android Open-Source Project tree, or AOSP, device manufacturers also introduce their own code in order to differentiate their devices from the competition. Often this includes additional apps and features built on top of Android.
Google is understandably interested in how easily exploitable this additional manufacturer code is, and cites the popularity of the Galaxy S6 Edge as their motivation for choosing that particular device. Other recent Samsung devices are also likely to be similarly vulnerable.
Over the course of a week, several security teams at Google competed with one another to find exploitable vulnerabilities, focusing primarily on those that could lead to the compromise of user data.
Several novel security issues were uncovered, including a directory-traversal bug that could allow files to be written to the device with system permissions. This is due to improper verification of the destination file path by the device.
Samsung’s email app was found to be particularly vulnerable, with several serious problems uncovered by Project Zero. Mishandling of the Android intent system, which allows one app to call on another to perform a specific task, made it possible for an unprivileged app to forward user emails to an account controlled by the attacker. Additionally, it fails to properly sanitize incoming messages for malicious JavaScript code, allowing an injected script to be executed by the client.
Google researchers also uncovered several driver errors that could be used to escalate to kernel-level privileges, allowing an attacker to take complete control of the device.
The most critical issues have already been addressed in a recent device update. Google credits Samsung for moving quickly to fix the vulnerabilities within 90 days of disclosure, though three bugs of lesser severity currently remain unpatched.