Mindful of the danger that the vulnerabilities present to the users if they are exploited by malicious individuals, he decided not to share any technical details, but to just give a broad overview of what their misuse would allow:
- a silent installation of highly-privileged applications with no user interaction
- SMS sending and changing of various phone settings without the app requiring the permission to do so
- an app performing almost any action on the victim's phone.
He admits at being surprised at the length of time it takes for Samsung to patch the vulnerabilities, especially because he believes they are easily fixed. The company replied to him that "any patches [Samsung] develops must first be approved by the network carriers."
In the meantime, UK blogger Terence Eden has demonstrated another lock screen bypass flaw he found on Samsung Android phones, which allows anyone to completely disable the lock screen and get access to any app.
The lock screen bypass flaw he discovered earlier this month has still not been patched by Samsung, but Bkav has released a patch that not only fixes the flaw, but also takes a photo of anyone trying to misuse the flaw and emails it to the phone's owner.
UPDATE (March 22): Bkav has developed a patch for the Samsung lock screen flaw disclosed by Eden.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.