Samsung Galaxy backdoor allows files access on the mobile’s storage

Almost every mobile phone manufacturer commercializes its devices with a version of the Android OS that includes its software component, pre-installed application and factory settings.

Samsung, for example, provides a customized Android version which includes some pre-installed proprietary software, but as usually happen in these cases, no one has the possibility to analyze in details the added components through an efficient code review process. Pre-installed components could include a backdoor to spy on users or to remotely gain complete control of the device. On the

Replicant OS is an open source operating system based on the Google Android, and  available for several Smartphones and tablet computers, which replace all proprietary Android components with their free software counterparts.

As highlighted in the blog post, modern handsets come with two separate processors, a general-purpose application processor that runs the main operating system and another component  in charge of communications with the mobile telephony network. Modem processor is usually targeted by attackers because it always runs a proprietary operating system, and the presence of a backdoor makes possible to remotely surveillance activities.

“Today’s phones come with two separate processors: one is a general-purpose applications processor that runs the main operating system, e.g. Android; the other, known as the modem, baseband, or radio, is in charge of communications with the mobile telephony network. This processor always runs a proprietary operating system, and these systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device. The spying can involve activating the device’s microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator’s network, making the backdoors nearly always accessible.”

Kocialkowski has discovered that a Samsung’s IPC protocol runs in the background in the communications processor and allows the modem component to remotely the user’s phone storage. Samsung IPC protocol allows to read, write, and delete files implementing a class of requests (RFS commands) to execute remote I/O operations on the phone’s storage.

We cannot demonstrate that the backdoor was specifically designed, neither that it might have been placed there wrongly, but in both cases user’s privacy is at risk.

Replicant has published a patch ‘0001-modem_if-Inject-and-intercept-RFS-I-O-messages-to-pe.patch‘ for your Samsung Smartphone, which replace the legitimate Samsung-RIL library.

Kocialkowski also encourage Samsung Galaxy owners to appeal publicly to SamsungMobile for an explanation.

Pierluigi Paganini

(Security Affairs – Samsung, mobile)