Preinstalled Android Apps
Recommendation for Lookout Admins
Any device with Android Security Patch Level (ASPL) later that 2021-05-05 will be protected from exploitation of these vulnerabilities. With that in mind, Lookout Admins should set the minimum required ASPL as 2021-05-05 if the user wants to access any corporate resources from their mobile device. By implementing access policies that only allow users and devices with the most up-to-date app versions installed on their devices, Lookout admins can ensure that threat actors don’t use vulnerable apps to access sensitive data.
Overview
It was recently discovered that a handful of preinstalled Android apps had vulnerabilities that could be exploited on exposed Samsung devices. The initial analysis of these apps by Oversecured shows that the vulnerabilities could allow threat actors to access and edit the victim’s contacts, calls, SMS and MMS, install arbitrary apps with device administrator rights, or read and write files on behalf of a user to change the device’s settings. Below is a list of the affected apps and descriptions of the potential malicious actions:
- Knox Core (CVE-2021-25388): Attackers can install arbitrary apps on the device.
- Managed Provisioning (CVE-2021-25356): Attackers can install third-party apps and grant device admin privileges.
- Secure Folder (CVE-2021-25391): Attackers can execute privileged actions.
- SecSettings (CVE-2021-25393): Attackers can get permission to access system UID data.
- Samsung DeX System UI (CVE-2021-25392): Attackers can exfiltrate sensitive information by changing the backup path configuration.
- TelephonyUI (CVE-2021-25397): Attackers can write arbitrary files of telephony processes via untrusted apps.
- PhotoTable (CVE-2021-20724): Attackers can execute privileged actions.
Lookout Analysis
Access to these types of data could lead to corporate data leakage and compliance violations if the device user has stored sensitive files locally on their device or communicated with colleagues about sensitive topics like research and development projects. Attackers know that mobile devices can access corporate data but oftentimes aren’t secured in the same way as laptops and desktops with access to the same data. To exploit these vulnerabilities, an attacker would most likely build a malicious third-party app that they would convince targeted victims to download through socially engineered mobile phishing campaigns.
Authors
Lookout
Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.
