A major vulnerability, named “Corrupdate” because of the methods used to gain access to a pair of system applications from Samsung, has been announced; it affects nearly 80% of all Samsung Android devices including the Galaxy S5 and Note 4. The vulnerability was discovered by security researchers Ryan Welton and Jake Van Dyke of NowSecure. NowSecure, a mobile security vendor, reported the issues to Samsung and assisted with creating a patch for the affected devices. They also have confirmed that the patch that was created has appeared to work. This vulnerability affects The Samsung Account and Samsung GALAXY Applications or on some devices may be called Samsung Apps and Samsung Updates, and because they are system applications, they cannot be uninstalled. For those of you who track vulnerabilities, GALAXY Apps has been assigned CVE-2015-0863 and Samsung Account has been assigned CVE-2015-0864.
This vulnerability is the result of a man-in-the-middle attack where a third party attacker is able to replace a legitimate application with the attackers own application. These applications are particularly dangerous as they have full access to your device and have carte blanche to do whatever the attacker wants, all without you having the slightest idea this is going on.
While the user must approve an update to Samsung Account, real or fake, the GALAXY Apps market does not need user authorization to install applications. If this update happens on an unsecured network the user is exposed to a possible attack from a third party attacker. Once you open the application which is a requirement for the attack to work, the malicious application can go about completing its tasks. It could track your location, steal your contact list, display ads (that could contain even more malware), or it could be used as part of a botnet. It could even gain root access to your device which is the very attack used by NowSecure to show proof of concept.
NowSecure has created an application that will assist you in the process of securing your device by letting you know if your device is affected by these exploits. If you wish to do this manually you can do so by going to the application manager in your device settings. Depending on your device, to do this go to settings, then to the “more” section, then to Application Manager or you may need to go to Settings, General, Application manager or you may need to simply go to settings, application manager. You then can look under ALL and there you should find Samsung Account and GALAXY Apps, which may be called Samsung Apps or Samsung Updates depending on your device. The application information screen will give you information on which version of each application you have. If your version number is lower than the following versions then your applications are vulnerable. For Samsung Account, if your version is lower than version 1.6.0069 or later for 1.0 series, Version 2.1.0069 for 2.0 Series than your application is vulnerable. For GALAXY Apps, also known as Samsung Apps or Samsung Updates, if your version is 14120405.03.012 or higher.
NowSecure highly recommends installing NowSecure Mobile to verify that your applications are safe or vulnerable. There is a fix for the vulnerability, but it must be performed on a secure network such as your home network and should be performed as soon as possible. According to Samsung, to update Samsung Account open any Samsung App that requires you to login to your Samsung Account. You should be prompted to update your application. Click ok and after the install and you should be all set. To update the GALAXY Apps, simply open the application and go to settings. You should receive a download notice to update to a newer version. Please note this will change the name to GALAXY Apps if your application was named Samsung Apps. This is to be expected.
If you do not receive a prompt to update your applications, or simply no longer wish for these applications to run, NowSecure recommends that you disable them. You can find this option in the Application Manager using the steps described above to locate your version number. You will receive a warning from Android if you do this letting you know that turning off a built-in app could cause issues. Click ok, just note it will delete app data. It should not be an issue, but you need to consider your situation to determine if this is the right step for you. Keep in mind disabling the GALAXY Apps will cause the application to not update while disabled, so you will have to re-enable the application in order to check for an update. Just make sure to do this on a secure network.
It is important for users of Samsung devices to make sure their phones are secure right away. The easiest way is to use NowSecure’s application to verify that your phone is safe. As stated this vulnerability affects 80% of Samsung devices, which translates around 200 million devices in potential danger. These kinds of attacks will become more prevalent in the future as malicious attackers will use more and more complex attack vectors to get to users information and credentials. It is important that you take steps to ensure you remain as safe as possible, such as making sure all your devices and applications are up to date with the latest secure versions. Remaining diligent is your best protection.