Several security vulnerabilities in Samsung's Find My Mobile app allowed hackers to factory reset premium Galaxy phones, steal SMS messages and call logs, lock phones, and carry out ransomware attacks.
The vulnerabilities in version 6.9.25 of Samsung's Find My Mobile application were unearthed by security researchers at Char49 who revealed that the flaws could enable a rogue application to take control of the communications between the Find My Mobile application and its underlying back-end servers.
A small piece of legacy code in the FMM application allowed a rogue application to redirect the URL of one of the management servers and force the Find My Mobile app to update the several addresses of all its supporting servers. Subsequently, hackers could use a remote server to perform man-in-the-middle (MitM) attacks and inject arbitrary actions.
"Since FMM supports a wide range of actions, the attack scenarios could be from ‘simple’ user monitoring up to catastrophic erasure of all data in the device. With the MitM attack alone, an attacker could permanently monitor a user, grab the device IMEI, account ids, and several other personally identifiable information (PII) all in a permanent and transparent way, the victim would never realized what was happening. In a more serious scenario, this could be used for ransomware, locking the user out of his own phone and demanding ransom, or even completely erasing the device data," the researchers noted.
By exploiting these vulnerabilities in the application, attacks could perform a range of actions such as using a malicious app to factory reset the phone, steal sms messages and call logs, lock the phone with a custom pin and message, locate the user, in short, any action that Find My Mobile supports. The flaw-ridden version of Find My Mobile was found in flagship Samsung phones such as the Galaxy S7, Galaxy S8, and Galaxy S9.
A technical analysis of the vulnerabilities affecting the Find My Mobile application can be found here.
The threat of hackers using malicious applications masquerading as popular apps to hijack Android devices is very real. Last year, Aleksejs Kuprins, a malware analyst at the CSIS Security Group, discovered a fake app named "Updates for Samsung" that offered free and paid firmware updates for Samsung phones and enjoyed over ten million downloads.
According to Kuprins, the app featured news and Android tutorials from a website called updato.com and offered a number of firmware updates for Samsung devices on its "Download Firmware" section. Users were either given the option of downloading a firmware for free or to opt for a paid annual subscription that allowed them to download firmware at greater Internet speeds.
However, the app's credentials as a genuine one got caught out when users attempted to download firmware for free. The Internet speed for free firmware updates was capped at 56Kbps, which meant that it took up to four hours for a user to download a 700MB package.
Kuprins noted that even if a user allowed the firmware to be installed at snail's pace, the download never got completed and got timed out or failed after a period of time. In the meantime, the app continued to play a series of advertisements pending the installation of a firmware package.
Users were then encouraged to opt for "Fast downloads through paid premium packages" to download firmware at a quicker pace. The app charged $34.99 and upwards for these packages and also offered SIM card unlocking for any network operator at prices starting at $19.99.