A security flaw discovered by Terence Eden on the Galaxy Note II with Android 4.1.2 may make that device less secure than you think when it’s locked by a code or other method.
He discovered that the homescreen can be accessed, albeit it just for a split second, by pressing the “Emergency Call” icon, then the ICE button and finally pressing the physical home key for several seconds.
While brief, it’s still enough time to click on any of your homescreen apps, which normally wouldn’t present a problem since access goes away when the home page disappears again. However, if one of your apps is a “direct dial” widget, for instance, a call can actually be placed by a hacker, and many other programs that perform an action at launch could also leave the device vulnerable.
We’ve confirmed the flaw on our own handsets and the individual who discovered it says that after reporting it five days ago, Samsung has yet to respond. We’ve reached out to the Korean company ourselves and will let you know about any further developments.
Devices running Samsung’s Exynos 4-based processors (4210 and 4412) including the Galaxy S III and Galaxy Note II have been shown to be vulnerable to a hack with potentially serious ramifications. A developer on the XDA Developers forum @alephzain uncovered the vulnerability, which could give a malicious app the ability to wipe data, brick a device or access a user’s data without their knowledge.
Devices that are vulnerable to attack appear include any device that runs the Exynos 4-based designs, coupled with Samsung’s kernel sources. This means that devices including the Meizu MX are also vulnerable to the same exploit along with other Samsung devices. Although no known software uses the exploit maliciously, a senior moderator on the XDA Developers forum @Chainfire has written an APK exploiting the loophole gaining root priveleges “on any Exynos 4-based device.”
Another programmer @Supercurio has released a quick fix through Project Voodoo that closes the hack, however, it will depend on Samsung to ensure that the gaping security hole is properly. XDA Developers have contacted Samsung about the matter and report that the company is aware of the issue. However, Samsung had yet to publicly acknowledge the issue at the time of writing.
Samsung Galaxy S III security fix reportedly rolling out to UK users
On 2nd January, Samsung pushed a software update (I9300XXELLA) to the Galaxy S III and we can confirm that the new software update fixes the infamous Exynos 4 vulnerability. The security flaw was in the kernel which made the device R/W by all users, apps and gave access to full Physical Memory. In short, this vulnerability gave root permissions to *any* app and there was no control over it but now with the new system update the security hole has been patched.
We believe that the new system update also fixes the sudden death issue as the new firmware ships with brand new bootloaders and this is the first time Samsung has updated the bootloaders of the device since it started shipping back in May 2012. But, we can’t confirm if sudden death issue has been resolved or not as Samsung is the only one who can confirm about the fix.
For now the new software update is only available for the United kingdom (BTU) but we expect other countries to follow soon. We would urge Galaxy S III users to immediatly update their device to the latest firmware via Kies or OTA (Over-The-Air).
Official Firmware Details:
Android Version: 4.1.2 – Build JZO54K
Build Date: 22-12-12
Change list: 742798
Source: Sam Mobile