Threat Guidances
Vulnerability
Android
June 17, 2021

Preinstalled Android Apps

Recommendation for Lookout Admins

Any device with Android Security Patch Level (ASPL) later that 2021-05-05 will be protected from exploitation of these vulnerabilities. With that in mind, Lookout Admins should set the minimum required ASPL as 2021-05-05 if the user wants to access any corporate resources from their mobile device. By implementing access policies that only allow users and devices with the most up-to-date app versions installed on their devices, Lookout admins can ensure that threat actors don’t use vulnerable apps to access sensitive data.

Overview

It was recently discovered that a handful of preinstalled Android apps had vulnerabilities that could be exploited on exposed Samsung devices. The initial analysis of these apps by Oversecured shows that the vulnerabilities could allow threat actors to access and edit the victim’s contacts, calls, SMS and MMS, install arbitrary apps with device administrator rights, or read and write files on behalf of a user to change the device’s settings. Below is a list of the affected apps and descriptions of the potential malicious actions:

  • Knox Core (CVE-2021-25388): Attackers can install arbitrary apps on the device.
  • Managed Provisioning (CVE-2021-25356): Attackers can install third-party apps and grant device admin privileges.
  • Secure Folder (CVE-2021-25391): Attackers can execute privileged actions.
  • SecSettings (CVE-2021-25393): Attackers can get permission to access system UID data.
  • Samsung DeX System UI (CVE-2021-25392): Attackers can exfiltrate sensitive information by changing the backup path configuration.
  • TelephonyUI (CVE-2021-25397): Attackers can write arbitrary files of telephony processes via untrusted apps.
  • PhotoTable (CVE-2021-20724): Attackers can execute privileged actions.

Lookout Analysis

Access to these types of data could lead to corporate data leakage and compliance violations if the device user has stored sensitive files locally on their device or communicated with colleagues about sensitive topics like research and development projects. Attackers know that mobile devices can access corporate data but oftentimes aren’t secured in the same way as laptops and desktops with access to the same data. To exploit these vulnerabilities, an attacker would most likely build a malicious third-party app that they would convince targeted victims to download through socially engineered mobile phishing campaigns.

Authors

Lookout

Endpoint Security
Entry Type
Threat Guidances
Threat Type
Vulnerability
Platform(s) Affected
Android
Platform(s) Affected
Threat Guidances
Vulnerability
Android

Related Content

CVE-2025-31200-31201 Update

CISA recently added guidance to CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue.

Read Threat Article

CVE-2025-24201 on iOS

CISA recently provided guidance for CVE-2025-24201, an out-of-bounds write issue in WebKit. There has been evidence of active exploitation of this CVE.

Read Threat Article

Lookout Discovers New Spyware by North Korean APT37

Lookout researchers have discovered a novel Android surveillance tool dubbed KoSpy. It is attributed to APT 37 aka ScarCruft.

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell