1. Overview

In Samsung Galaxy S3/S4, a built-in system app exposes an unprotected component which allows an unprivileged app on the phone to fake arbitrary SMS text messages (and MMS, and call logs) without requesting standard SEND_SMS/WRITE_SMS permissions.

2. Vendor Response

Contact Time: June 10, 2013

Confirm Time: June 17, 2013

Patched Time: TBD

Patched Status: In Progress

3. Impact

1) Access Vector

Local exploitable

2) Access Complexity


3) Authentication

Permissions with normal protection level shall be required to access the corresponding content providers.

4) Impact Type

The vulnerable software allows any unprivileged app to:

1) access sensitive information, including SMS/MMS messages and call logs;

2) launch smishing attack.

4. Vulnerability Details

In Samsung Galaxy S3/S4, a pre-loaded app, i.e., sCloudBackupProvider.apk, is used to provide backup functionality for the users, and it unintentially exposes an unprotected component. By exploiting this unprotected component, an unprivileged app can trigger a so-called “restore” operation to write SMS messages back to the standard SMS database file (mmssms.db) used by the system messaging app, i.e., SecMms.apk. As a result, a smishing attack can effectively create and inject arbitrary (fake) SMS text messages. Similarly, fake MMS messages and call logs are also possible.

5. Vulnerable software and versions

Affected devices:

Galaxy S3 (build #: IMM76D.I9300UBALF5):

Package Name: com.sec.android.sCloudBackupProvider

Version Code: 1

Version Name: 1.0

Galaxy S4 (build #: JDQ39.I9505XXUAMDE and JDQ39.I9500ZCUAMDH):

Package Name: com.sec.android.sCloudBackupProvider

Version Code: 14

Version Name: 1.4

6. Workarounds

QIHU Inc. has tested the following workarounds that does NOT correct the vulnerability but would help block known attack vectors before applying the official OTA update from Samsung:

Disable the vulnerable app (sCloudBackupProvider.apk).

Impact: After disabling the app, the built-in cloud backup and restore function of Galaxy S3/S4 will not be avaiable.