Another day, another security scare. I think it would be safe to assume that just about any OS is vulnerable in some area and it never fails, where’s there’s a hole, there’s a person who will find it and exploit it. Today, a security vulnerability was found in Samsung Kies — Samsung’s sync and update software tool — and could potentially allow for malicious applications to be installed on a user’s device.
Revealed in Andre Moulu’s blog post, a seemingly legitimate app could be downloaded from the Play Store (Angry Birds Cheats, Japanese Squid Girls, etc.) and once installed it could hijack the “install_packages” permission found inside the Samsung Kies application. From there, the malicious app could have a field day installing more applications without the users knowledge or input.
According to the the pentester who discovered the exploit, the vulnerability was easy to pull off using little more than a few lines of Java. Apparently, this is a common vulnerability found in many system applications that come pre-installed on users’ devices thanks to custom UI’s. Of course, something like this could be patched up in a simple over-the-air update, so let’s hope Samsung, HTC, Motorola and other OEM’s are listening. Proof of concept video shown below for those interested.
[Sh4ka.fr]