Although these days I use an iPhone as my primary smartphone, I still own a Samsung Galaxy Note 10+ 5G for backup and burner use. If you own a Samsung smartphone, running a wide range of Android versions from 9 to 12, I have good news and bad news for you. Serious and seriously shocking security news.
Kryptowire researchers released a report this week detailing how they discovered a severe, high-severity vulnerability in the pre-installed Phone app on several models that could allow a hacker to take control of your phone. What kind of control? Well, according to the researchers, everything from factory resets and calls to installing or removing apps. All of this by an unauthorized user if the victim had installed a modified third-party application to “mimic system-level activity and hijack critical protected features,” according to Kryptowire’s report.
The bad news for Samsung smartphone users in more detail
Kryptowire CTO Alex Lisle posed the question, “Do you think anyone else has access to your phone?” Here’s the bad news by way of his answer: “unfortunately, you might be right.” The high-severity vulnerability, CVE-2022-22292, that Kryptowire researchers discovered was every bit as shocking as Lisle made it sound.
The Phone app, which comes pre-installed on Samsung smartphones, was found to have an insecure component that basically gave local apps, apps without system-level privileges, the ability to perform such privileged operations anyway without trust. user authorization.
In the full technical report on this shocking Samsung security misstep, researchers say devices running any version of Android between 9 and 12 were impacted. There were some differences between how versions 10-12 could be exploited compared to version 9, but the result was the same: a compromised smartphone without the user knowing about it.
Although the extent to which Samsung smartphones were vulnerable to this attack methodology remains unknown, researchers were able to demonstrate an exploit using a Samsung Galaxy S21 Ultra 5G with the most recent version of Android 12, for example. A Samsung Galaxy S10+ and Samsung A10e were also used in the compromise tests. A Samsung Galaxy S8, running Android 8, however, was found not to be vulnerable. The bad news, then, is that if you own just about any Samsung smartphone running Android version 9, this vulnerability is likely to have been present.
I approached Samsung for an official statement, but at the time of publication had yet to receive a response.
And now here’s the good news
It’s not all bad news: full details of CVE-2022-22292 were leaked to Samsung on November 27, 2021, and a fix was made available as part of the February 2022 security maintenance release schedule. .
Assuming your device has been updated to a security patch level of February 2022 or later, you are protected. However, not everyone will have updated or been able to update their device. Mea culpa, my own Galaxy Note 10+ lagged in this regard as I hadn’t used it for a few months. So be sure to check that your devices are up to date. You can do this by going to your smartphone’s settings menu and selecting About Phone|Software Information then scroll down to Android security patch level.