Google security researchers put Samsung's Galaxy S6 Edge through its paces over one week and found major flaws in Android code added by the Korean company. Google's Project Zero team discovered and reported 11 high-impact security issues.

The majority of Android devices are not made by Google, but by external companies known as Original Equipment Manufacturers or OEMs which use the Android Open-Source Project (AOSP) as the basis for mobile devices which they manufacture. OEMs introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers.

Perhaps the most interesting issue found was a directory traversal bug that allows a file to be written as system. There is a process running a system on the device that scans for a zip file in /sdcard/Download/cred.zip and unzips the file. Unfortunately, the API used to unzip the file does not verify the file path, so it can be written in unexpected locations. On the version of the device Google's team tested, this was trivially exploitable using the Dalvik cache using a technique that has been used to exploit other directory traversal bugs, though an SELinux policy that prevents this specific exploitation technique has been pushed to the device since.

Another interesting and easy-to-exploit bug was found in the Samsung Email client by James Forshaw. It is a lack of authentication in one of the client’s intent handlers. An unprivileged application can send a series of intents that causes the user’s emails to be forwarded to another account. It is a very noisy attack, as the forwarded emails show up in the user’s sent folder, but it is still easy access to data that not even a privileged app should be able to access.

A script injection issue was also found in the Samsung email client. This issue allows JavaScript embedded in a message to be executed in the email client. It is somewhat unclear what the worst-case impact of this issue is, but it certainly increases the attack surface of the email client, as it would make JavaScript vulnerabilities in the Android WebView reachable remotely via email.

In addition, there were three issues found in drivers on the device. Buffer overflows were identified in drivers that are accessible by processes that run as media. These could be used by bugs in media processing, such as libstagefright bugs, to escalate to kernel privileges. In addition, a concurrency issue wasleading to memory corruption in a driver that could be used to escalate from any unprivileged application or code execution to kernel.

Five memory corruption issues on the device in Samsung-specific image processing were also identified. Two of these issues occur when an image is opened in Samsung Gallery, but the three others occur during media scanning, which means that an image only needs to be downloaded to trigger these issues. They allow escalation to the privileges of the Samsung Gallery app or the media scanning process.

Google's researchers reported these issues to Samsung soon after they discovered them. They responded recently, stating that they had fixed eight of the issues in their October Maintenance Release, and the remaining issues would be fixed in November.