Samsung gets Pwned again – ExynosAbuse Exploit Review

A new vulnerability exploiting Android devices was published just yesterday. The vulnerability- aka ExynosAbuse – exists on various Samsung devices on a number of Android versions, including 2.x, 4.0, and 4.1.
The flaw is a “Privilege Escalation” vulnerability that exists in the drivers used by the camera and multimedia devices. By exploiting this vulnerability, the attacker can bypass the Android’s permission model and ultimately access various files and sensitive information on the device. The concern for enterprises? The attacker can also access various enterprise data securing applications such as Good for Enterprise and gain access also to the encrypted information.

Galaxy S3 and S2 root exploit

Unfortunately, no patch was released yet by the vendors so these affected devices (listed below) are still vulnerable. Further, no AntiVirus or MDM solutions for Android can detect the use of this vulnerability from a malicious application or other means.

What are the attack methods?

  • Convincing the user to install a malicious android application, either from the official Google Play app store or from a third party (unofficial app store, email, etc…)
  • Web attack leveraging a public  vulnerability in an existing application, such as in the browser (CVE-2012-5139)
  • Physically connecting the device to an attacker’s computer

What are the consequences of such an attack?

An attacker exploiting the vulnerability is capable of:

  • Getting full control of the smartphone/tablet and bypassing the Android permission model
  • Running code under root (administrator) privileges
  • Accessing various files and sensitive information on the device.
  • Accessing various enterprise data securing application, such as: Good for Enterprise, Checkpoint Mobile Access Software Blade, Divide, and various banking and financial applications. An attacker will be able to gain access to encrypted and sensitive information such as confidential documents and emails.
  • Injecting a persistent backdoor on the device.

What are the affected devices?

  • Samsung Galaxy Note GT-N7000
  • Samsung Galaxy S2 GT-I9100
  • AT&T Samsung Galaxy S2 GT-I777
  • Samsung Galaxy S3 GT-I9300
  • LTE Samsung Galaxy S3 GT-I9305
  • Samsung Galaxy Note 2 GT-N7100
  • LTE Samsung Galaxy Note 2 GT-N7105
  • Samsung Galaxy Note 10.1 GT-N8000
  • Samsung Galaxy Note 10.1 GT-N8010
  • Meizu MX

How to minimize threat exposure?

  • Users should be instructed to install applications only from reputable sources (i.e. from well- known developers and only from the official Google Play app store).
  • Users should be instructed not to open suspicious/unknown links sent to the device
  • We cannot recommend using the community available fix app since that uses the vulnerability to gain root and disables the camera on the phone.