Although Google has its recommended set of apps for all Android phones to have, some manufacturers have long preferred to still provide their own core apps and custom experiences. For the longest time, Samsung has been one of the biggest culprits of that divergent experience, but it has lately been trying to trim down its set of apps. That doesn’t mean it hasn’t done away with those completely, especially pre-installed apps and services that provide functionality that neither Google nor Android itself provides. Unfortunately, those apps and services can also become entry points for hackers, as demonstrated by this latest security report.
To be fair, there was a time when Google and Android, at least AOSP, didn’t provide decent apps and OEMs had to fend for themselves. Samsung provided its own SMS, Phonebook, Calendar, and even Calculator apps in addition to services like Knox security and Secure Folder to provide functionality that Android didn’t have. These days, Samsung still pre-installs some of these apps even as it also preloads Google’s equivalent and some actually became security liabilities.
Mobile app security outfit Oversecured reported no less than seven vulnerabilities in Samsung’s own apps and services. Some of these were ironically found in the Knox secure framework, but others also included the DeX desktop framework and even the Phone app UI. The vulnerabilities enabled hackers to steal SMS, install arbitrary apps, or gain access to files as the system user.
There were other vulnerabilities that Oversecured hasn’t revealed publicly yet due to the severity of their risk. They did responsibly disclosed it to Samsung, who patched those flaws and rolled them out in updates for April and May this year. Samsung says they are not aware of any reports that exploited these flaws.
It isn’t rare for apps and software to have security holes, of course, but the closer they are to the core of the operating system, the bigger the risk they carry. Nothing gets closer to the system than Samsung’s own system apps, and this report should make Samsung more aware of the responsibility it carries with these pre-installed apps and services that users can’t easily uninstall or block.