Author: Heather Goudey, senior security content developer, HP
Japan’s very own Team MBSD, of Mitsui Bussan Secure Directions, Inc., have demonstrated exploits against several applications installed by default on the Samsung Galaxy S4. Combined, these bugs allow the covert installation of a malicious application and the theft of sensitive data. The spoils for their hard work? A cool $40,000.
This team exploited multiple apps, installed by default on the Samsung Galaxy S4 to install malware and steal confidential data. In order for the exploit to be successful, the affected user must first be lured to an attacker-controlled malicious website. However, from there, no more user interaction is required and an attacker can install arbitrary applications of their choice with system-level privileges on the user’s device.
In this case, the payload was the capture and exfiltration of sensitive data including the affected user’s contacts, bookmarks, browsing history, screen shots, SMS messages, etc.
The implications for this exploit are worrisome. While you may be reticent to click on links (heeding the commonly-given, if somewhat ridiculous advice to ‘click carefully’) it is unlikely that you assess risk and use caution the same way on your mobile devices as you do on your desktop. The message here, however, is clear – mobile platforms are vulnerable to the same or very similar methods of malware distribution that plague the desktop and you would be wise to take heed.
This vulnerability was disclosed to Samsung in the chamber of disclosures and they will be working to address.