Security Research
Showing results for 
Search instead for 
Do you mean 

Local Japanese team exploits mobile applications to install malware on Samsung Galaxy S4

Heather_Goudey ‎11-12-2013 11:04 PM - edited ‎11-13-2013 03:38 AM

Japan’s very own Team MBSD, of Mitsui Bussan Secure Directions, Inc., have demonstrated exploits against several applications installed by default on the Samsung Galaxy S4. Combined, these bugs allow the covert installation of a malicious application and the theft of sensitive data. The spoils for their hard work? A cool $40,000.

 

This team exploited multiple apps, installed by default on the Samsung Galaxy S4 to install malware and steal confidential data. In order for the exploit to be successful, the affected user must first be lured to an attacker-controlled malicious website. However, from there, no more user interaction is required and an attacker can install arbitrary applications of their choice with system-level privileges on the user’s device.

 

In this case, the payload was the capture and exfiltration of sensitive data including the affected user’s contacts, bookmarks, browsing history, screen shots and SMS messages.

 

The implications for this exploit are worrisome. While you may be reticent to click on links (heeding the commonly-given, if somewhat ridiculous advice to ‘click carefully’) it is unlikely that you assess risk and use caution the same way on your mobile devices as you do on your desktop. The message here, however, is clear – mobile platforms are vulnerable to the same or very similar methods of malware distribution that plague the desktop and you would be wise to take heed.

 

This vulnerability was disclosed to Samsung in the chamber of disclosures and they will be working to address.

0
About the Author

Heather_Goudey

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Labels
Events
February 2016
Online
Software Expert Days - 2016
Join us online to talk directly with our Software experts during the online Expert Days - see details below. Software experts do not monitor this foru...
Read more
Ongoing
See board event postings
Vivit Events - 2016
Learn about upcoming Vivit webinars and live events in 2016.
Read more
View all