Jann Horn, Google Project Zero Specialist, studied the Android kernel, supplied by Samsung with its Galaxy A50 phones, and stated that the security mechanisms added by Samsung engineers to the kernel not only lack full protection, but also create additional vectors for attacks. According to Horne, Samsung amends the Android kernel, which only worsens security.
Horn notes that he did not check the kernel in other Samsung devices, but believes that modifications specific to this manufacturer can generally create vulnerabilities and make it difficult to counter attacks.
“Worse, this practice is common among smartphone manufacturers: they often add something controversial to the Linux kernel code, and upstream developers do not consider and cannot control these changes”, – states Jann Horn.
In particular, the Samsung core includes a function that protects user data from being read or modified by attackers. But Horn found that this function not only does not cope with its task, but also has vulnerabilities that can be used to execute arbitrary code.
The issue affected Samsung’s additional security subsystem called PROCA or Process Authenticator.
Researcher’s PoC exploit demonstrates that an attacker can gain access to an account database containing confidential authentication tokens.
Exploitation of this problem is also linked with an old vulnerability, a disclosure bug in the Linux kernel, which has the identifier CVE-2018-17972. This problem has long been fixed in the Linux kernel and Android kernel, but, as it turned out, not in the Android kernel, which Samsung uses for its phones.
“Samsung’s defense mechanisms do not provide complete protection against intruders trying to hack your phone, they only block the simplest root tools that are not customized for Samsung devices. I believe that such modifications are not their money, since they make it difficult to switch to a new kernel (which should happen more often than now) and add additional space for attack”, – writes Horn.
He notes that the PROCA mechanism is designed to restrict an attacker who, in fact, has already gained reading and writing permissions to the kernel. According to Horn, Samsung could create a more effective defense by directing its resources so that the attacker does not get such access at all.
Samsung developers have already fixed these and other vulnerabilities (including CVE-2018-17972) as part of the February Tuesday update.
Recall; that Android users are also threatened by another dangerous problem – Xhelper malware continues to infect Android devices. Moreover, the Xhelper Trojan remains on the device even after deleting or completely resetting device to factory settings.