Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google: Protections Added by Samsung to Android Kernel Increase Attack Surface

A Google Project Zero researcher claims that some of the security features added by Samsung to the Android kernel don’t provide meaningful protection and they actually increase the attack surface.

A Google Project Zero researcher claims that some of the security features added by Samsung to the Android kernel don’t provide meaningful protection and they actually increase the attack surface.

Project Zero researcher Jann Horn has analyzed the Android kernel shipped by Samsung with its Galaxy A50 phones and found that some security features added by the tech giant actually make security worse.

Samsung’s kernel includes a protection feature designed to prevent attackers from reading or modifying user data. However, Horn found that it not only fails to achieve its goal, it also introduces vulnerabilities that can be exploited for arbitrary code execution.

A PoC exploit developed by Horn shows how an attacker could access an accounts database containing sensitive authentication tokens.

Exploitation also involves another vulnerability — an information disclosure flaw in the Linux kernel tracked as CVE-2018-17972 — that had been patched in the Linux kernel and the Android common kernel, but not in the Android kernel shipped by Samsung to its phones.

“Samsung’s protection mechanisms won’t provide meaningful protection against malicious attackers trying to hack your phone, they only block straightforward rooting tools that haven’t been customized for Samsung phones,” Horn said. “My opinion is that such modifications are not worth the cost because: they make it more difficult to rebase onto a new upstream kernel, which should be happening more often than it currently does; they add additional attack surface.”

Samsung has patched these and other vulnerabilities reported by Google Project Zero researchers with its February 2020 updates. This includes CVE-2018-17972.

Horn says he has not analyzed the kernel in other Samsung phones besides the A50, but he noted that vendor-specific modifications made to core kernel functionality in general can introduce vulnerabilities and make it more difficult to “lock down the attack surface.”

“I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won’t complicate updates to newer kernel releases,” the researcher said.

He added, “That I was able to reuse an infoleak bug here that was fixed over a year ago shows, once again, that the way Android device branches are currently maintained is a security problem. While I have criticized some Linux distributions in the past for not taking patches from upstream in a timely manner, the current situation in the Android ecosystem is worse. Ideally, all vendors should move towards using, and frequently applying updates from, supported upstream kernels.”

SecurityWeek has reached out to Samsung for comment and will update this article if the company responds.

Related: Long-Patched Vulnerabilities Still Present in Many Popular Android Apps

Related: Critical Bluetooth Vulnerability Exposes Android Devices to Attacks

Related: Android’s February 2020 Update Patches Critical System Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.