The brilliant minds at XDA Developers have done it again; this time, a user by the name of alephzain claims to have discovered a vulnerability in multiple Samsung devices that gives access to all physical memory. The potential is huge: attackers could use malicious apps to wipe data and brick devices or, more likely, quietly access user data.
Alephzain first tested the vulnerability out on a Samsung Galaxy S III to root his device, but says the flaw also exists on the Samsung Galaxy S II, the Samsung Galaxy Note II, the Meizu MX, and potentially other devices that feature an Exynos processor (4210 and 4412) and use Samsung kernel sources.
While Samsung has yet to confirm the issue, it’s already being exploited. In fact, a senior moderator who calls himself Chainfire has created an APK file that uses Alephzain’s exploit, dubbed ExynosAbuse, to gain root privileges and install the latest release of SuperSU “on any Exynos4-based device.”
The post lists the following devices as being compatible: Samsung Galaxy S2 GT-I9100, Samsung Galaxy S3 GT-I9300, Samsung Galaxy S3 LTE GT-I9305, Samsung Galaxy Note GT-N7000, Samsung Galaxy Note 2 GT-N7100, Verizon Galaxy Note 2 SCH-I605 (with locked bootloaders), Samsung Galaxy Note 10.1 GT-N8000, and the Samsung Galaxy Note 10.1 GT-N8010.
It’s worth noting that we are not aware of any Android malware apps that exploit this particular vulnerability. Furthermore, many devices are not affected since they don’t have the right processor; for example, a recognized developer by the name of Supercurio notes the Nexus 10 is not compatible since it is powered by an Exynos 5 chip.
Samsung has reportedly been notified about the XDA thread. Chainfire says he flagged it for some Samsung engineers to read while Supercurio says he confirmed “that people at Samsung have just made aware of it.”
We have also contacted Samsung about this issue. We will update this article if we hear back.
Update: Supercurio has released a quick fix for the vulnerability while we wait for Samsung to respond. Details are available here: Project Voodoo.
Image credit: Bjarne Henning Kvaale