Researchers from Google’s Project Zero have identified nearly a dozen high severity vulnerabilities in the Android operating system running on Samsung Galaxy S6 Edge smartphones.
While Google is the main developer of Android, device manufacturers such as Samsung, LG, HTC and Huawei have been using the Android Open Source Project (AOSP) source code to create their own variations of the mobile operating system.
Project Zero wanted to put the security of an OEM device to the test to see how it compares against Google’s Nexus, for which the Internet giant has started releasing monthly security updates.
“OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers,” Project Zero researcher Natalie Silvanovich said in a blog post.
Ten researchers, members of Project Zero and other Google security teams, were tasked with finding vulnerabilities in Samsung’s Galaxy S6 Edge smartphone, which they claim to have chosen because it’s a high-end device with a large number of users.
They specifically looked for three types of issues that can be part of a kernel privilege escalation exploit chain, including gaining remote access to contacts, photos and messages, gaining access to such data from a Google Play application that requires no permissions, and using this access to persistently execute code even after a device wipe.
A total of eleven high severity issues have been identified, the most serious being a path traversal vulnerability (CVE-2015-7888) in the Samsung WifiHs20UtilityService service that can be exploited to write arbitrary files on the system.
The email client installed on Samsung Galaxy S6 Edge devices is also plagued by a serious flaw (CVE-2015-7889), which allows an attacker to forward a user’s emails to a different account via a series of intents from an unprivileged application. Another email client issue (CVE-2015-7893) can be exploited to execute arbitrary JavaScript code embedded in a message.
Google researchers also found issues related to drivers (CVE-2015-7890, CVE-2015-7891, CVE-2015-7892), and image parsing (CVE-2015-7894, CVE-2015-7895, CVE-2015-7896, CVE-2015-7897, CVE-2015-7898).
“Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down. The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short,” Silvanovich explained.
The expert pointed out that while SELinux (Security-Enhanced Linux) provides significant protection, some of the bugs they have identified can be exploited to disable this kernel security module.
Project Zero reported the vulnerabilities to Samsung in late July and eight of them were addressed by the vendor with its October maintenance release. The remaining three security bugs will be resolved later this month, but researchers say the unpatched issues have a lower severity.
After the existence of the critical Stagefright vulnerabilities came to light this summer, Samsung, LG and other phone manufacturers announced their plans to release monthly security updates designed to patch Android vulnerabilities. But not all vendors rushed to make such commitments. HTC said it will push for monthly security updates, but the company has deemed monthly update guarantees “unrealistic.”
