The Samsung Exynos kernel exploit - what you need to know

By last updated

A new kernel exploit has been found (credit to alephzain at XDA) that affects some Samsung Exynos chipsets -- which happen to power many of Samsung's more popular phones. Normally kernel exploits don't make the rounds as news, but this time the word "malware" got attached to it so it has a bit of steam behind it.

Let's start this by reminding everyone that any app or program that roots your Android phone or jailbreaks your iOS device is malware by this definition. People really need to give up on that damn click-bait, and instead worry about educating people to help keep them safer. That's what we're going to try to do, so read on and lets have a look.

Update: A couple new things here. First is that Supercurio has worked up a quick and easy app that'll patch this exploit if you're worried about it. It'll let you know if your device is vulnerable, closes the exploit without requiring root access (so it should work on any phone or tablet), and it "doesn't modify your system, copy files or flash anything." You can turn the fix off and on as you choose, which is good because it breaks camera functionality on some devices (read more after the break on why that happens), and it could mess with HDMI output on some devices, Supercurio says. Also, we're re-emphasizing Chainfire's thread in the link below. Great stuff from the Android community. Let's hope Samsung gets something pushed out on its end as soon as it can.

Source: XDA; More: Chainfire's ExynosAbuse root exploit thread

The exploit and affected devices

The actual exploit itself only affects devices with the Exynos 4210 and 4412 processor. That means the Sprint Galaxy S II, the international Galaxy S II, the international Galaxy S3, the international Galaxy Note, and the Galaxy Note 2 are all affected, as well as tablets using the Exynos 4 -- certain Galaxy Player models, Galaxy Tab 2 devices and the Galaxy Note 10.1. We also don't want to forget the Galaxy Camera. While the U.S. versions of the Galaxy S3 are safe this time, that's still a whole lot of phones. There are also a few other phones (like the MEIZU MX) that use this SoC and may be affected. 

Why is this different?

But why is what's basically a one-click root APK making the news? It's a pretty severe bug in Samsung's kernel source that lets users have access to the device RAM, and then we're free to dump it and see what's there or inject new processes of our own. The proof-of-concept APK that roots all the above named devices with one click (note that even the Verizon Galaxy Note 2 with a locked bootloader is easily rooted) is a perfect example. The train of thought is that an app could be built with this exploit hidden inside, rooting your phone without your knowledge. It then could use the new elevated permissions to send data off to somewhere else, or do any number of equally dirty things you can do with root access. These apps could be distributed anywhere, and are easily installable. Always remember that a rooted phone or an unlocked bootloader means half the work for "the bad guys" is already done. This exploit makes that half easy for those same bad guys if your device is not rooted.

What should I do?

First, make sure your device is one that could be affected, We've listed them above, but if you still have questions ask in the forums. It's important to know if your device is affected or not. There are plenty of people who will give you the answer you're looking for.

If you're one of the many who have a custom ROM to help get away from the TouchWiz, you'll need to get with your ROM developer and see if that ROM's kernel is affected. Your device probably already is rooted, but you still don't want to be running around with a big unpatched hole that lets an app read a dump of your device memory.

If you're using a stock device and it's affected by this, your phone won't suddenly go rogue all on its own. You'll need to be mindful of what you're downloading and installing, especially if you're downloading and installing pirate copies of apps. (Which you should be mindful of anyway.) There is no specific app permission to look out for, as any app is able to access the device memory. You'll have to be vigilant -- just like you always should be. It's worth noting that nobody has seen or heard of any malware using this bug, and likely never will. 

Samsung, here is your chance to make us love you even more. While this is not the "sky-is-falling" scenario that many will make it out to be, it is a critical flaw in the kernel that needs addressed quickly and thoroughly. We have no doubts that a patch will come soon that fixes the permissions, but having the patch and getting it to your users is another matter. We've reached out to Samsung for their side of this one, we'll let you know as soon as they respond. 

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.
42 Comments
  • Go Samsung!
  • I know this is wishful thinking, but I want to see Samsung take the carrier out of the equation when they patch the exploit. Oh, and deliver it via OTA.
  • This is why I read this website. The massive bullsh** apologetics for Android and Google. I can always count on Android Central to deflect the issue to the press, or to the users, or to anywhere except Google. The podcast is hilarious for the same reason. It's very entertaining! Android Central: The place to learn where Android is secure and the Nexus Q is an awesome home entertainment device.
  • I'm trying to follow you here but I keep ending up that you've somehow blamed Google for this which cannot be right. I say cannot be right because nobody with any sense or knowledge of the source and the exploit could blame the OS maintainer (Google) for a bug that only impacts a specific SOC (Exynos), one created by a company (Samsung) other than said maintainer (Google), and only impacts that specific SOC (Exynos), meaning the exploit doesn't impact the actual source of the OS (which includes kernel). So you could see with the common sense logic I've applied above, I'm having a hard time ending up in the same place you've landed. I've also been kind enough to explain why I disagree with you, would you mind returning the favor?
  • Well said! and a gentleman too -//- now can i see the respond, Please..
  • This has zero to do with Android or Google. It's Samsung's modified kernel source.  
  • No worries Jerry, I booby trapped my reply with logic. If there's one thing trolls hate, it's logic. They've yet to develop a defense system for it ;-)
  • So Lets HACK logic.. and see what comes out.
  • And then blame Google for logic having an exploit.
  • Now come on, that is not a fact. AC does a decent job of reporting the news and the real world dangers of it. If you are using pirated apps, you deserve what you get, just like torrents on the PC. This is an Android site and of course the pros of android are going to be touted, and by extension Google. THe Q is a decent device and I am pretty sure that it was given quite a few cons by the staff here when it has gone through it issues. That being said, the amount of talking up the N4 gets is over the top, especially the enforcement of "we don't talk bad about the N4 in the forums" Android Central is a great resource for Android and most things google
  • You forgot to mention the AT&T Galaxy SII
  • Question:
    If you rooted your device yourself, and setup a password to Superuser or SuperSU, how does that change things?
  • With this exploit, unrooted phones can be rooted and exploited with no pop up asking for permission, just as if you deleted the SuperSU app. Also -- an app doesn't have to ask for superuser permission to read the device memory, as it's marked read/write for everyone. Not sure what exactly can be done with that, but it's the kind of hole you don't want left open.
  • Crytographic keys are normally stored in the memory region at the time of encryption/decryption. This is why cold boot attack works. With this Samsung bug, you can basically perform a cold boot attack, without freezing the RAM and removing it in this case, just dump the memory and the cryptographic key is yours and you can decrypt all the data that used that key to encrypt it.
  • Yikes, now I'm suddenly glad I don't have the Exynos S3 (Hugs Verizon S3)
  • Being a major Samsung fan, they are the only mobile phone manufacturer that listens and gives the Android community what they ask for. They will fix this issue, if you want to root your device and haven't yet, I would just wait until this is fixed. Don't get nervous, this isn't nearly as big of a deal as everyone is trying to make it. Samsung is the most developer friendly phone, they will be on this right away. This will not slow down Machine Samsung.
  • Not so sure. They never patched the browser exploit on the SII.  Patching things, even this F'd up, is easy enough. Getting the patch out to the users is what concerns me.
  • +100 to that. If Samsung could figure out a way to take the carrier out of the equation (and, you know, get it tested), then it'd be like heaven.
  • So why can't they? Whats stopping them. Apple seems to be carrier independent with it's updates as far as IOS is concerned. So what locks Android devices into carriers? Is it the fact they are on contract so the carrier requires it?
  • Apple started out by finding a carrier (AT&T) that was willing to allow them to handle their own updates. Once the iPhone became incredibly popular, they used that leverage to insist on keeping that control with other carriers. The smartphone world has changed a lot since 2007 and none of the carriers would be willing to allow another manufacturer to have full control. If the manufacturer stands its ground, the carrier just favors another manufacturer. This is part of the reason Google is pushing an unlocked phone that costs significantly less than any other phone in its class. People can afford to buy it and Google gets to keep control of the updates.
  • There are plenty of flaws in your statement there, but I think the only way for you to notice them is if you look at a map.
  • If there are flaws in the statement then clarify it instead of resorting to personal attacks. OT: I think it's kind of funny how people observe basically the same issue, had this been about an exploit on the iPhone allowing the device to be jailbreaked, everyone would be cheering at that fact, rather than be concerned there's a severe unpatched security exploit on their phone :P That is not really the case when a similar exploit gets discovered on an Android Device.
  • You answered your own question. Big Fruity is more powerful than the carriers in America!! Samsung is and always will be the outside evil force. Despite the fact that MORE Americans love Samsung products. More of the world loves Samsung than Big Fruity. The carriers play hardball with the OEMs when compared to Big Fruity!
  • OK, so I'm trying to understand this. There is a potentially dangerous security vulnerability out there that an exploit to can easily be hidden in an app, so you not only post an article broadcasting it's existence, but you also broadcast the name of the Dev who discovered the vulnerability and created an open source exploit to that vulnerability so anyone planning to do something nefarious can easily search for it? Well that's just down right brilliant!
  • That's actually the way it works. The faster a vulnerability becomes widely known, the faster the manufacturer is forced to deal with it. If these things were kept quiet, the OEMs would have no incentive to fix them. As you can see from the article, a well known developer in the Android community has already created an app to help users stay safe until Samsung releases a patch.
  • Obviously the cat is out of the bag now, it doesn't really matter if Android Central reports on it or not. It does however raise the question of responsible disclosure, you really don't just publish this stuff out of thin air, you do try to work with the vendor in order to resolve it before making the vulnerability public. Disclosing this information without informing the vendor is reckless and irresponsible, it is typical to inform the vendor, and if the vendor does not respond within a reasonable amount of time, then you go public in an attempt to "shame them" into fixing it.
  • Dang, Verizon got to this phones home button too... Or is that a Note2?
  • >"Always remember that a rooted phone or an unlocked bootloader means half the work for "the bad guys" is already done." I am not completely sure I agree with the wording of that statement. I have "root" access to every one of my Linux computers, and that doesn't make it less secure (it is impossible to lock myself out of having administrative access to my own systems) because I am not RUNNING as root as normal procedure. Yes, this exploit could mean a rogue app could gain root, itself, but that has nothing to do with the phone having already been rooted or not- that does not automatically present an additional security risk... I am just saying that the reality is far more complex than can be summed up, as such, in that sentence.
  • You computer is not a phone, and uses a more robust user/groups/sudo permission model (presumably). In an Android phone we rely on the intent system to intercept calls that require root access. If there is no app to intercept them, they just run.
  • Thanks Jerry. Got the fix and I am now protected. Keep us updated on word from Samsung.
  • "You can turn the fix off and on as you choose, which is good because it breaks camera functionality on some devices (read more after the break on why that happens)" Jerry, did I miss it, or did you forget to say why the camera breaks?
  • I'm not Jerry, but I can answer the question for you. The temporary fix breaks the standard camera app because the app is dependent upon the permissions to the memory driver to be wide open. Taking away that permission breaks the app. There is a suggested fix for this situation in the original thread:
    http://forum.xda-developers.com/showthread.php?t=2048511
  • I'm running a 100% bone-stock, non-rooted Verizon Galaxy Note 2. According to the Supercurio app, my phone IS "currently vulnerable to the exploit". So, I'm confused by the article specifically calling out affected models as "Sprint Galaxy S II, the international Galaxy S II, the international Galaxy S3, the international Galaxy Note, and the Galaxy Note 2 are all affected." Should it read "Sprint Galaxy S II, the international Galaxy S II, the international Galaxy S3, the international Galaxy Note, and the ALL VERSIONS OF THE Galaxy Note 2 are all affected."?
  • Not if you take it in the context of the text preceding it, in my opinion.
  • It should be taken as implied, when no specific model was given as a qualifier.
  • Does this even impact American Galaxy S3's? Don't we all have Snapdragon processors? I'm on AT&T and could have sworn that's what we have.
  • It should not be affected no :) The article also specifically states the international SGS3.
  • So about all those people who bitched about not getting a quad core phone.....
  • Who is this guy who made a patch, and why should I trust him to patch the hole rather than exploit it? I'm still on the N1, and just ordered the HTC 1, so it doesn't effect me, but my sister has the Sprint GS2.
  • Supercurio is fairly well know in the Android community. Obviously, you're right: it comes down to a question of do *you* trust him. You're asking exactly the right question. Most of us around here trust him, just because he's been active in the Android development community and, well, I guess he's never done anything to give us reason not to trust him :) But that is good that you're asking that question. All I can give you is, *I* don't believe he's looking screw anyone over. Of course, you've really got no reason to trust me :) All that said, you have to decide for yourself the community's belief that he's legit is good enough for you. UPDATE: After hitting the links and doing some reading, it looks like the basis for the app was actually written by Chainfire, a name most anybody who roots and flashes custom ROMs should know. He wrote the SuperSU app that most people are using at this point :) He *could* exploit the hole, but considering he wrote the app that actually allows apps on my phone to get SU permissions, and nothing bad has happened to my phone yet, I don't think there's anything to worry about ;) UPDATE 2: Nevermind. They've each written their own app. My mistake. Looks like even Supercurio is recommending people take a look at Chainfire's version, though.
  • The iPhone also has a "malware" security flaw. How the hell do you think you jail break it so you can steal apps? Great, some idiot mac user slaps the word "malware" on there & now all the root tools & triangle away will all have to be rewritten. All these malware scares, but hey, if you are downloading cracked pirated app titles & screwing the developer, I say you deserve whatever issue you get.
  • https://www.youtube.com/watch?v=G2_zHqsC4BE&feature=youtube_gdata_player Exynos abuse in action on my Verizon Galaxy Note 2