Mobile security company Kryptowire discovered vulnerabilities in several Samsung devices. This CVE-2022-22292 vulnerability was found on phones running Android 9, 10, 11, and 12.
The vulnerability creates any local application including third parties that do not have permission to provide arbitrary intent objects. It will be used in pre-installed applications to initiate application component activity from hackers.
“The vulnerability allows a third-party application to provide an arbitrary intent object that will initiate a pre-installed application run as a system user with all permissions, privileges, and capabilities,” the company wrote on its official website, Wednesday (6/4/2022).
The vulnerability also increases because it essentially allows third-party applications to launch and send data to arbitrary activity application components. This opens up major attacks for third-party applications that allow sending objects with embedded data to activities and such from the system itself.
That way the unauthorized application can use the unprotected interface to perform actions on its behalf.
The company exemplifies the Samsung S21 Ultra 5G with Android 12. The phone uses the user’s pre-installed apps with activities on its behalf: factory reset, install arbitrary apps, uninstall arbitrary apps, dial phone numbers and special ones like 911, and install custom certificate authorities.
All of these activities, according to Kryptowire, are carried out without user involvement.
The company conducted a test with a Samsung A10e phone that supports Android 9. This allows local apps without permission to send objects indirectly as system users.
This is done via the same dynamically registered broadcast receiver app component pre-installed com.android.server.telecom on Android 10 through 12.
Kryptowire also lists affected devices and dynamically confirmed to contain vulnerabilities. There’s the Samsung S21 Ultra 5G with Android 11 and 12, the Samsung S10+ (Android 10), and the Samsung A10e (Android 9).