1. Overview
In Samsung Galaxy S3/S4, a built-in system app exposes an unprotected component which allows an unprivileged app on the phone to sending out arbitrary SMS text messages to arbitrary destinations without requesting the standard SEND_SMS permission.
2. Vendor Response
Contact Time: June 10, 2013
Confirm Time: June 17, 2013
Patched Time: TBD
Patched Status: In Progress
3. Impact
1) Access Vector
Local exploitable
2) Access Complexity
Low
3) Authentication
Permissions with normal protection level shall be required to access the corresponding content providers.
4) Impact Type
The vulnerable software allows any unprivileged app to send SMS/MMS messages out to arbitrary destination number with arbitrary content.
4. Vulnerability Details
In Samsung Galaxy S3/S4, a pre-loaded app, i.e., sCloudBackupProvider.apk, is used to provide backup functionality for the users, and it unintentially exposes some unprotected component. These components can be sequentially triggered in a specific order to create arbitrary SMS content, inject to system-wide SMS database, and then trigger the built-in SMS-sending behavior (to arbitrary destination). This vulnerability also affects MMS messages.
5. Vulnerable software and versions
Affected devices:
Galaxy S3 (build #: IMM76D.I9300UBALF5):
Package Name: com.sec.android.sCloudBackupProvider
Version Code: 1
Version Name: 1.0
Galaxy S4 (build #: JDQ39.I9505XXUAMDE and JDQ39.I9500ZCUAMDH):
Package Name: com.sec.android.sCloudBackupProvider
Version Code: 14
Version Name: 1.4
6. Workarounds
QIHU Inc. has tested the following workarounds that does NOT correct the vulnerability but would help block known attack vectors before applying the official OTA update from Samsung:
Disable the vulnerable app (sCloudBackupProvider.apk).
Impact: After disabling the app, the built-in cloud backup and restore function of Galaxy S3/S4 will not be avaiable.