Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google: Protections Added by Samsung to Android Kernel Increase Attack Surface

A Google Project Zero researcher claims that some of the security features added by Samsung to the Android kernel don’t provide meaningful protection and they actually increase the attack surface.

A Google Project Zero researcher claims that some of the security features added by Samsung to the Android kernel don’t provide meaningful protection and they actually increase the attack surface.

Project Zero researcher Jann Horn has analyzed the Android kernel shipped by Samsung with its Galaxy A50 phones and found that some security features added by the tech giant actually make security worse.

Samsung’s kernel includes a protection feature designed to prevent attackers from reading or modifying user data. However, Horn found that it not only fails to achieve its goal, it also introduces vulnerabilities that can be exploited for arbitrary code execution.

A PoC exploit developed by Horn shows how an attacker could access an accounts database containing sensitive authentication tokens.

Exploitation also involves another vulnerability — an information disclosure flaw in the Linux kernel tracked as CVE-2018-17972 — that had been patched in the Linux kernel and the Android common kernel, but not in the Android kernel shipped by Samsung to its phones.

“Samsung’s protection mechanisms won’t provide meaningful protection against malicious attackers trying to hack your phone, they only block straightforward rooting tools that haven’t been customized for Samsung phones,” Horn said. “My opinion is that such modifications are not worth the cost because: they make it more difficult to rebase onto a new upstream kernel, which should be happening more often than it currently does; they add additional attack surface.”

Samsung has patched these and other vulnerabilities reported by Google Project Zero researchers with its February 2020 updates. This includes CVE-2018-17972.

Horn says he has not analyzed the kernel in other Samsung phones besides the A50, but he noted that vendor-specific modifications made to core kernel functionality in general can introduce vulnerabilities and make it more difficult to “lock down the attack surface.”

Advertisement. Scroll to continue reading.

“I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won’t complicate updates to newer kernel releases,” the researcher said.

He added, “That I was able to reuse an infoleak bug here that was fixed over a year ago shows, once again, that the way Android device branches are currently maintained is a security problem. While I have criticized some Linux distributions in the past for not taking patches from upstream in a timely manner, the current situation in the Android ecosystem is worse. Ideally, all vendors should move towards using, and frequently applying updates from, supported upstream kernels.”

SecurityWeek has reached out to Samsung for comment and will update this article if the company responds.

Related: Long-Patched Vulnerabilities Still Present in Many Popular Android Apps

Related: Critical Bluetooth Vulnerability Exposes Android Devices to Attacks

Related: Android’s February 2020 Update Patches Critical System Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.