Preinstalled Android Apps

Overview

It was recently discovered that a handful of preinstalled Android apps had vulnerabilities that could be exploited on exposed Samsung devices. The initial analysis of these apps by Oversecured shows that the vulnerabilities could allow threat actors to access and edit the victim’s contacts, calls, SMS and MMS, install arbitrary apps with device administrator rights, or read and write files on behalf of a user to change the device’s settings. Below is a list of the affected apps and descriptions of the potential malicious actions:

• Knox Core (CVE-2021-25388): Attackers can install arbitrary apps on the device.
• Managed Provisioning (CVE-2021-25356): Attackers can install third-party apps and grant device admin privileges.
• Secure Folder (CVE-2021-25391): Attackers can execute privileged actions.
• SecSettings (CVE-2021-25393): Attackers can get permission to access system UID data.
• Samsung DeX System UI (CVE-2021-25392): Attackers can exfiltrate sensitive information by changing the backup path configuration.
• TelephonyUI (CVE-2021-25397): Attackers can write arbitrary files of telephony processes via untrusted apps.
• PhotoTable (CVE-2021-20724): Attackers can execute privileged actions.

‍

Lookout Analysis

Access to these types of data could lead to corporate data leakage and compliance violations if the device user has stored sensitive files locally on their device or communicated with colleagues about sensitive topics like research and development projects. Attackers know that mobile devices can access corporate data but oftentimes aren’t secured in the same way as laptops and desktops with access to the same data. To exploit these vulnerabilities, an attacker would most likely build a malicious third-party app that they would convince targeted victims to download through socially engineered mobile phishing campaigns.