1. Overview

In Samsung Galaxy S3/S4, a built-in system app exposes an unprotected component which allows an unprivileged app on the phone to sending out arbitrary SMS text messages to arbitrary destinations without requesting the standard SEND_SMS permission.

2. Vendor Response

Contact Time: June 10, 2013

Confirm Time: June 17, 2013

Patched Time: TBD

Patched Status: In Progress

3. Impact

1) Access Vector

Local exploitable

2) Access Complexity

Low

3) Authentication

Permissions with normal protection level shall be required to access the corresponding content providers.

4) Impact Type

The vulnerable software allows any unprivileged app to send SMS/MMS messages out to arbitrary destination number with arbitrary content.

4. Vulnerability Details

In Samsung Galaxy S3/S4, a pre-loaded app, i.e., sCloudBackupProvider.apk, is used to provide backup functionality for the users, and it unintentially exposes some unprotected component. These components can be sequentially triggered in a specific order to create arbitrary SMS content, inject to system-wide SMS database, and then trigger the built-in SMS-sending behavior (to arbitrary destination). This vulnerability also affects MMS messages.

5. Vulnerable software and versions

Affected devices:

Galaxy S3 (build #: IMM76D.I9300UBALF5):

Package Name: com.sec.android.sCloudBackupProvider

Version Code: 1

Version Name: 1.0

Galaxy S4 (build #: JDQ39.I9505XXUAMDE and JDQ39.I9500ZCUAMDH):

Package Name: com.sec.android.sCloudBackupProvider

Version Code: 14

Version Name: 1.4

6. Workarounds

QIHU Inc. has tested the following workarounds that does NOT correct the vulnerability but would help block known attack vectors before applying the official OTA update from Samsung:

Disable the vulnerable app (sCloudBackupProvider.apk).

Impact: After disabling the app, the built-in cloud backup and restore function of Galaxy S3/S4 will not be avaiable.