Pedro Umbelino, the Char49 researcher who discovered the bugs, told that the malicious app would only need access to the device’s SD card to exploit the first vulnerability in the chain and build a file that would allow the attacker to intercept backend server communication.
Effective exploitation of the vulnerabilities would have allowed a malicious user to conduct whatever action the Find My Mobile app might take, including forcing a factory reset, wiping data , monitoring the position of the device in real time, retrieving phone calls and messages, and locking and unlocking the phone. Before the vendor released a patch, the exploit was successfully replicated on Samsung Galaxy S7, S8, and S9 + computers. Char49 told that the vulnerabilities were discovered more than a year ago, but they were only fixed by Samsung at the end of October 2019, and the security company decided to wait 9 months for information to be made public. “This vulnerability can be easily exploited after configuration, with severe consequences for the consumer and with a potentially disastrous impact: permanent denial of service via telephone lock, complete data loss with factory reset (including sdcard), serious privacy consequences via IMEI and location tracking as well as call and SMS log access,” the company explained in a technical report explaining each of the vulnerabilities. It added, “The [Find My Mobile] framework should not have publicly accessible, and in an exported state, arbitrary components. If absolutely required , for example if these components are called by other packages, they should be secured with proper permissions. You should avoid testing code that depends on the presence of files in public places.