1. Overview
In Samsung Galaxy S3/S4, a built-in system app exposes an unprotected component which allows an unprivileged app on the phone to fake arbitrary SMS text messages (and MMS, and call logs) without requesting standard SEND_SMS/WRITE_SMS permissions.
2. Vendor Response
Contact Time: June 10, 2013
Confirm Time: June 17, 2013
Patched Time: TBD
Patched Status: In Progress
3. Impact
1) Access Vector
Local exploitable
2) Access Complexity
Low
3) Authentication
Permissions with normal protection level shall be required to access the corresponding content providers.
4) Impact Type
The vulnerable software allows any unprivileged app to:
1) access sensitive information, including SMS/MMS messages and call logs;
2) launch smishing attack.
4. Vulnerability Details
In Samsung Galaxy S3/S4, a pre-loaded app, i.e., sCloudBackupProvider.apk, is used to provide backup functionality for the users, and it unintentially exposes an unprotected component. By exploiting this unprotected component, an unprivileged app can trigger a so-called “restore” operation to write SMS messages back to the standard SMS database file (mmssms.db) used by the system messaging app, i.e., SecMms.apk. As a result, a smishing attack can effectively create and inject arbitrary (fake) SMS text messages. Similarly, fake MMS messages and call logs are also possible.
5. Vulnerable software and versions
Affected devices:
Galaxy S3 (build #: IMM76D.I9300UBALF5):
Package Name: com.sec.android.sCloudBackupProvider
Version Code: 1
Version Name: 1.0
Galaxy S4 (build #: JDQ39.I9505XXUAMDE and JDQ39.I9500ZCUAMDH):
Package Name: com.sec.android.sCloudBackupProvider
Version Code: 14
Version Name: 1.4
6. Workarounds
QIHU Inc. has tested the following workarounds that does NOT correct the vulnerability but would help block known attack vectors before applying the official OTA update from Samsung:
Disable the vulnerable app (sCloudBackupProvider.apk).
Impact: After disabling the app, the built-in cloud backup and restore function of Galaxy S3/S4 will not be avaiable.