Samsung shipped over 100 million smartphones with a dangerous security flaw, a new report has uncovered. The loophole affected several Samsung devices, including flagships going back to the Galaxy S8 series. It's worth noting that Samsung is among the top Android OEMs when it comes to delivering regular security updates. The brand has promised a minimum of four years of security updates for Galaxy devices launched since 2019, from the affordable Galaxy A-series phones to the flagship Galaxy S-series.
Despite Samsung leading the way when it comes to updates, its devices are still exposed to security flaws from time to time. In 2021, a researcher found over a dozen vulnerabilities in Samsung's native apps which allowed hackers to spy on users. One of the flaws would have enabled a hacker to collect user data from notifications, including chat descriptions from WhatsApp and Telegram, as well as notifications from Google Docs, Gmail, and more. Hackers would also be able to copy a user's contacts from the Secure Folder. Samsung patched most of the flaws in the March 2021 security update, while subsequent patches in April and June 2021 completed the fix.
A more recent vulnerability in Samsung phones was discovered by a team of researchers from Tel-Aviv University in Israel (spotted by SamMobile). The report found that several phones in Samsung's flagship Galaxy S8, Galaxy S9, Galaxy S10, Galaxy S20, and Galaxy S21 series were shipped with a major security flaw that would allow hackers to access their passwords. Over 100 million phones with this issue were shipped by Samsung. The weakness was discovered in Samsung's TrustZone OS, which performs security-related functions and runs alongside Android.
Samsung Security Flaw - Should Galaxy Users Be Worried?
As per the researchers, the security flaw was caused by the faulty cryptographic design in the TrustZone operating system, and would have enabled hackers to extract hardware-protected keys. The researchers reverse-engineered the flaw to demonstrate how it could be misused, and made a case for requiring proven security design standards among device vendors.
While the report paints a grim picture, the good news is that Samsung device owners don't need to be worried about this particular loophole. The researchers reported the flaw to Samsung in May 2021, and a patch released in August 2021 fixed many affected devices including the Samsung Galaxy S9. A subsequent patch in October 2021 fixed the issue on the Galaxy S10, Galaxy S20 and Galaxy S21. As long as a user has updated their phone to the latest available security patch, they shouldn't be affected. This issue also highlights the need to keep a device on the latest available software version, since even minor updates can include fixes that protect user privacy.
Source: Tel-Aviv University (via SamMobile)