Samsung Hasn't Patched A Serious Security Issue For Over A Year [Updated]
Update : Samsung issued a statement on the matter:
"Samsung takes the security of its products very seriously. We have already taken steps to prevent these potential exploit chains by releasing patches for Samsung Internet Software in December 2022. Starting in December, Samsung Internet Software updates disable access points for remaining vulnerabilities and ensure device protection does..
We are actively working with our partners to release patches for remaining vulnerabilities after April as soon as possible and encourage all users to update their devices to the latest firmware to ensure the highest level of security.
Google's Threat Analysis Team (TAG) has found that Samsung has not patched a key zero-day security vulnerability in its Galaxy devices for over a year. The flaw exists in ARM's Mali GPU, which is found in Samsung's Exynos processors that power millions of Galaxy devices worldwide. ARM released the patch in January 2022, but the Korean company has yet to include it in its security releases.
Common Vulnerabilities and Effects This issue, called CVE-2022-22706, is a vulnerability in the Mali GPU kernel driver. The flaw, discovered by security researchers from Google's Project Zero team, was made public last November along with many other critical zero-day vulnerabilities affecting millions of Android smartphones worldwide. After ARM released the patch in January and confirmed it was in use in the wild, phone makers have about eight months to create the next fix.
During the announcement, Project Zero's Ian Beer said devices from Samsung, Google, Oppo, Xiaomi and other brands are at risk. After all, the vulnerability was present in almost all Android devices with Mali GPU. In a new update on Wednesday, TAG revealed that Samsung has yet to release a fix for the vulnerability. This is despite reports that attackers are using the flaw to trick unsuspecting users into clicking on malicious links in the Samsung Internet browser on Galaxy devices.
According to TAG, this exploit chain was discovered last December. It can provide "extensive Android spyware written in C++ that includes libraries for hacking and collecting data from various browsers and chat applications." Because Samsung left this vulnerability unpatched, threat actors used Samsung Internet to trick Galaxy users. "This vulnerability allows an attacker to access the system," explained TAG's Clément Lessin. They added that browser version 19.0.6 or later is immune to this exploit.
However, the flaw remains unresolved at the system level. Essentially, this means that threat actors can develop new exploits to gain system access to millions of Galaxy devices. Except for the Galaxy S22 series, all other Exynos-based Galaxy models are vulnerable. The Exynos 2200 chipset used in last year's Galaxy S22 series features AMD's Xclipse 920 GPU based on RDNA 2. This is under Samsung's strict control. We hope that the company will fix this vulnerability as soon as possible. We will let you know when we release an official statement about it.