Malicious Apps Could Take Over Samsung Devices
Samsung devices, including flagship S7, S8 and S9, were all vulnerable to a severe flaw that allowed any application to factory reset the phone, steal sms messages and call logs, lock the phone with a custom pin and message, locate the user, in short, any action that Find My Mobile supports.
Find My Mobile
Find My Mobile (FMM) is a feature of Samsung devices for Samsung account owners, that comes as a preinstalled system application. It allows the user to connect to the FMM website and try to locate his lost phone. From Samsung's website:
“Find My Mobile will help you locate your phone or tablet and protect your data. You can even use it to unlock if you forget your pattern, PIN, or password.”
Abusing FMM
Our research, which started as an audit into Samsung S8, revealed a series of flaws that, when chained together, would allow for a rogue application to take control of the communications between the Find My Mobile application and its underlying back-end servers.
By taking advantage of a small piece of legacy code, a malicious application could redirect the URL of one of the management servers and force FMM to update the several addresses of all its supporting servers.
From then on, with the help of an attacker controlled server, the attacker could perform a man-in-the-middle (MitM) attack and inject arbitrary actions that are supported by FMM into the victims device.
Attack scenarios
Since FMM supports a wide range of actions, the attack scenarios could be from ‘simple’ user monitoring up to catastrophic erasure of all data in the device.
With the MitM attack alone, an attacker could permanently monitor a user, grab the device IMEI, account ids, and several other personally identifiable information (PII) all in a permanent and transparent way, the victim would never realized what was happening.
In a more serious scenario, this could be used for ransomware, locking the user out of his own phone and demanding ransom, or even completely erasing the device data.
Disclosure
A proof of concept (PoC) application was developed and the required server side code to implement this attack and shared with Samsung. The vulnerabilities were disclosed to Samsung in the beginning of last year and fixed through out the year. Updates were pushed via Galaxy Store.
After more than a year we believe it is relatively safe to disclose this issue and urge Samsung users that have not updated their phones to confirm if they are running the latest version of the Find My Mobile application.
Download the technical report (PDF) here