New research disclosed a string of severe security vulnerabilities in the ‘Find My Mobile’ an Android app that comes pre-installed on most Samsung smart phones that could have allowed remote attackers to track victims’ real-time location, monitor phone calls, and messages, and even delete data stored on the phone.

Vulnerability:

Samsung’s Find My Mobile service allows owners of Samsung devices to remotely locate or lock their Smartphone or tablet, back up data stored on the devices to Samsung Cloud, wipe local data, and block access to Samsung Pay.

How attackers exploit the vulnerability?

“The flaw, after setup, can be easily exploited and with severe implications for the user and with a potentially catastrophic impact: permanent denial of service via phone lock, complete data loss with factory reset (SD card included), serious privacy implication via IMEI and location tracking as well as call and SMS log access,”.

Affected Phones:

The flaws, which work on unpatched Samsung Galaxy S7, S8, and S9+ devices, were addressed by Samsung.

There were four different vulnerabilities in the app that could have been exploited by a malicious app installed on the targeted device, thus creating a man-in-the-disk attack to hijack communication from the backend servers and snoop on the victim.

The flaw stems from the fact the app checks for the presence of a specific file on the device’s SD card (“/mnt/sdcard/fmm.prop”) in order to load a URL (“mg.URL”), thus allowing a rogue app to create this file that can be used by a bad actor to potentially hijack the communications with the server.

“By pointing the MG URL to an attacker-controlled server and forcing the registration, the attacker can get many details about the user: coarse location via the IP address, IMEI, device brand, API level, backup apps, and several other information,”

To achieve this, a malicious app installed on the device makes use of an exploit chain that leverages two different unprotected broadcast receivers to redirect commands sent to Samsung’s servers from the Find My Mobile app to a different server that’s under the attacker’s control and execute malicious commands.

The malicious server also forwards the request to the legitimate server and retrieves the response, but not before injecting its own commands in the server responses.

In doing so, a successful attack could allow a hacker to track the device’s location, grab call data and text messages for spying, lock the phone for ransom, and erase all data through a factory reset.

Needless to say, the vulnerability is yet another indicator of how an app that’s meant to safeguard users against information loss can be susceptible to a number of flaws that can defeat the app’s purpose.

“The FMM [Find My Mobile] application should not have arbitrary components publicly available and in an exported state,” “If absolutely necessary, for example if other packages call these components, then they should be protected with proper permissions. Testing code that relies on the existence of files in public places should be eliminated.”

Recommendations

Segment data and apps on enterprise devices.

It is recommended to consider the following best practice:

• Create a back-up of your Data
• Download Original Apps from Authentic Developers
• Keep updated Software in Phone
• Verify that you’re using Android’s app-scanning system
• Double-check your security basics