Inaccurate Information: What You Need to Know About the New Samsung Vulnerability

Exynos 4412 Processor at Risk

It has been said this week that Samsung’s Galaxy S III, Galaxy Note 2, and Galaxy S II smartphones have a software loophole that can be used to hack into user devices, according to an XDA developer named Alephzain. He discovered the security loophole while trying to root his Galaxy S III, and provides his own update to cover the vulnerability (Project Voodoo). The idea that Samsung has some software exposure is no secret; Samsung’s smartphones, like the iPhone and the phones of other Android manufacturers, come with assisted GPS, another vulnerability that hackers can access remotely. At the same time, however, tech writers have spent the week claiming that Samsung’s Galaxy S III, in general, contains the vulnerability. I submit the following statement:

  • “A severe vulnerability in the Samsung Galaxy S III, Galaxy S II, Galaxy Note II, and potentially several other devices, could give remotely downloaded apps the ability to read user data, brick phones, or perform other malicious activities…(The vulnerability is suspected to potentially affect all devices with Exynos 4210 and 4412 processors that use Samsung code.)” (The Verge)

While The Verge does not include it, a writer at The Next Web points out that someone from China has already taken advantage of the newly-known vulnerability:

“In fact, a senior moderator who calls himself Chainfire has created an APK file that uses Alephzain’s exploit, dubbed ExynosAbuse, to gain root privileges and install the latest release of SuperSU ‘on any Exynos4-based device.’”

While reports such as these come out frequently when discussing smartphones, it is a real loophole in Android devices that can prove dangerous for smartphone users. Nevertheless, when the news is provided, is it always accurate? I would have to answer “no” to this question. A number of article titles claimed that the “Galaxy S3” and other Galaxy phones (implicitly referring to all versions of these phones) have the vulnerability. However, this is not necessarily so. Writes Android Central:

“The actual exploit itself only affects devices with the Exynos 4210 and 4412 processor. That means the Sprint Galaxy S II, the international Galaxy S II, the international Galaxy S3, the international Galaxy Note, and the Galaxy Note 2 are all affected…the US versions of the Galaxy S3 are safe this time.”

According to Android Central, the international Galaxy S3 is at risk, but the American S3 is not. This means that news reports that do not specify the risk but declare blindly that all S3s are at risk are guilty of inaccurate (and implicitly dishonest) reporting.

Shawn Ingram of GottaBeMobile writes the following at the end of his article, “Galaxy S3, Galaxy Note Security Hole; Samsung Promises Fast Fix”:

“U.S. Galaxy S3 owners also won’t have to worry about the update because the U.S. version of the phone doesn’t use Samsung’s Exynos processor. The U.S. versions of the phone use dual-core Snapdragon S4 processors instead, because the Exynos processor couldn’t support 4G LTE at the time of the phone’s release.

The U.S. Galaxy Note 2 does use Samsung’s Exynos processor, however, so those users should avoid any suspicious apps. All smartphones should avoid suspicious apps, however, regardless of their smartphone of choice.” (underline mine)

The American Galaxy S2 uses the Exynos processor, but the American Galaxy S3 does not (thank goodness for 4G LTE). This means that American S3 users can rest easy knowing that their device does not have the vulnerability.