exynos-s3

PSA: Samsung Device Owners of GS2, GS3, OG Note, Note 2 & Note 10.1 Beware of Serious Malware Exploit

December 17, 2012 - Written By Tom Dawson

Earlier we bought you news that there was a serious security flaw that could affect devices running one of Samsung’s Exynos 4210 or 4412 processors and that a lot of Samsung devices were at risk the most. Then we didn’t have too much information however, now there is a little more to go on. Let’s go ahead and take a look at the problem and some of the fixes – call this the “lowdown” on this latest exploit.

What is It and Am I Affected?

Essentially, what we have here is an exploit that affects devices running an Exys 4210 or Exynos 4412 – and those using Samsung’s Kernel Sources – chip and specifically those from Samsung. In firmware builds from Samsung the virtual directory for memory (RAM) on the device “/dev/exynos-mem” is left wide open with full read/write access. Which is great for those looking to hack open these devices and acquire root privileges  However, what isn’t so great is that this hole left in the Kernel leaves things open for malware and apps to mount an easy attack as anything in RAM is fair game when this exploit is left open. For the most part, if you’re running a US version of the Galaxy S III then you’re safe as they’re based on the Snapdragon S4 processor and not Samsung’s own. Check the list below to see if your device is left vulnerable by this exploit:

  • Samsung Galaxy S2 GT-I9100
  • Samsung Galaxy S3 GT-I9300
  • Samsung Galaxy S3 LTE GT-I9305
  • Samsung Galaxy Note GT-N7000
  • Samsung Galaxy Note 2 GT-N7100
  • Verizon Galaxy Note 2 SCH-I605 (with locked bootloaders)
  • Samsung Galaxy Note 10.1 GT-N8000
  • Samsung Galaxy Note 10.1 GT-N8010

Below is the exploit as outlined by XDA forum member “alephzain” who found the exploit and used it to get easy-root on the device without the use of ODIN:

“Hi,

Recently discover a way to obtain root on S3 without ODIN flashing.
The security hole is in kernel, exactly with the device /dev/exynos-mem.
This device is R/W by all users and give access to all physical memory … what’s wrong with Samsung ?
Its like /dev/mem but for all.
Three libraries seems to use /dev/exynos-mem:
/system/lib/hw/camera.smdk4x12.so
/system/lib/hw/gralloc.smdk4x12.so
/system/lib/libhdmi.so”

It seems pretty strange – and negligent – of Samsung to leave such a hole wide open as it could be used by malware to serious effect. This hole leaves applications the chance to gain root access and read/write to the phone without a user-prompt and/or even a restart of the device. However, I expect a quick turnaround from Samsung with this. Members of the community have already come forward with a fix, read on for more.

How Can I Fix This and What if I’m Rooted?

If you’ve already rooted your device and are running one of the above then your phone is left at risk as a result of this Kernel exploit and your device will probably be more at risk as root does tend to leave devices that little bit more open. However, even if you’re not rooted then you’re at risk as “/dev/mem-exynos” is left open with read/write access regardless of whether you have root or not. Luckily, the developer that has bought us many fixes and little hacks in the past, Chainfire, has prepared a fix that is as easy to apply as installing an apk file – all done with the help of others in the dev community. However, if you’re not rooted before using this – you will be afterwards, this is done to be able to plug the hole afterwards. Read Chainfire’s description of the fix below:

“This is an APK that uses the ExynosAbuse exploit (by alephzain) to gain root privileges and install SuperSU (v0.99) on your Exynos4 based device.

Since v1.10, it also allows you to disable the exploit (which may break camera), re-enable the exploit (if you need the camera) and to disable the exploit at boot (before any Android app runs). These options do require root (SuperSU or Superuser) to be installed as well. While this will help protect you, these are work-arounds, not actual fixes.

For more details on the exploit itself, see this thread. The exploit is used by this APK in unmodified form. You should be very afraid of this exploit – any app can use it to gain root without asking and without any permissions on a vulnerable device. Let’s hope for some fixes ASAP!”

To see if your device is compatible with this app, get a look at the original thread here.

Samsung, Where for Art Thou?

Samsung have been made aware of the issue and we’re sure that they’re working on a fix to be pushed out via an OTA update. Android Police reached out to their PR team but have heard nothing back. Samsung will want to get on top of this quickly as the call to arms surrounding Android Malware has been rising in fervor these past few weeks and for the best selling Android devices to have a hole like this left wide open is definitely not good for Android’s public image, let alone Samsung’s. What is a little scary though, is how long carriers might take to release this an update to their customers. Given that some carriers in Europe rely on KIES to update Samsung devices they may not even be made aware of such an exploit. We can only hope that Samsung will make a statement soon and give out some fixes pretty quickly.

[Sources: XDA (1), XDA (2)]