Project Zero Experts Found critical flaws in Samsung Galaxy S6 Edge

Experts at Google’s Project Zero have discovered a number of high severity flaws in the Android OS version running on Samsung Galaxy S6 Edge smartphones.

Experts at Google Project Zero are conducting an analysis of the Android operating system running on the Android OS installed by other manufacturers on their mobile devices.

The principal manufactures have been using the Android Open Source Project (AOSP) source code to customize the Google OS for their systems, and experts at Project Zero wanted to test them.

“The majority of Android devices are not made by Google, but by external companies known as Original Equipment Manufacturers or OEMs which use the Android Open-Source Project (AOSP) as the basis for mobile devices which they manufacture.”states the blog post published by the Project Zero team.

“OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers.” 

Recently a team of ten researchers from the Project Zero team and other Google security teams analyzed Samsung Galaxy S6 Edge smartphone searching for vulnerabilities in OS running on it.

They focused their efforts in evaluating the possibility to escalate kernel privileges from both local and remote starting point.

The researchers tried to gain remote access to data managed by the Android device, including contacts, messages and photos obtaining persistence in the mobile phone.

After a week of intense tests on the Samsung Galaxy S6 Edge, the team has found eleven high severity issues, the most important is a path traversal vulnerability (CVE-2015-7888) affecting the Samsung WifiHs20UtilityService service that can be exploited by attackers to write arbitrary files on the device.

“There is a process running a system on the device that scans for a zip file in /sdcard/Download/cred.zip and unzips the file. Unfortunately, the API used to unzip the file does not verify the file path, so it can be written in unexpected locations.” states the post.

Another serious flaw (CVE-2015-7889) discovered by the team in the Samsung Galaxy S6 Edge is affecting the email client (CVE-2015-7889) installed on the device. The flaw could be triggered by attackers to forward user’s emails to a different account via a series of intents from an unprivileged application. The experts also found another vulnerability (CVE-2015-7893) in the email client  can be exploited to execute arbitrary JavaScript code embedded in an email.

The experts explained that the device drivers and media processing were affected by several issues that they have quickly identified.

“We found issues very quickly in these areas through fuzzing and code review.” states the post.

The discovered issues are related to the image parsing (CVE-2015-7894, CVE-2015-7895, CVE-2015-7896, CVE-2015-7897, CVE-2015-7898) and the drivers (CVE-2015-7890, CVE-2015-7891, CVE-2015-7892).

The Project Zero team reported the security vulnerabilities to Samsung in July, the company has fixed eight flaws in October, the remaining ones will be fixed this month.

Pierluigi Paganini

(Security Affairs – Samsung Galaxy S6 Edge, hacking)