NowSecure

We deliver mobile app security testing, incident response, and compliance solutions.

Main navigation

corrupdate vulnerability

Corrupdate Vulnerability – Samsung patches flaw discovered by NowSecure

Last year, NowSecure mobile security researchers Jake Van Dyke and Ryan Welton discovered two major vulnerabilities affecting nearly 80% of Samsung devices, or about one-third of all Android devices. Dubbed TCorrupdateU, these vulnerabilities affect devices including the flagship Galaxy S5 and Note 4 phones and 200+ total Samsung phone and tablet models.

Nearly 80% of Samsung devices, or about one-third of all Android devices, are affected.

NowSecure reported these issues to Samsung to help them create a patch and ensure users would be protected. Samsung recently released a patch, and NowSecure confirmed the patch appears to be effective. To confirm whether your device is patched and improve your mobile security score, install NowSecure Mobile.

To learn how users can protect themselves, and read a technical deep-dive on the vulnerability, read our technical breakdown by NowSecure researcher Jake Van Dyke.

Recommendations

  • Check your app version
    For Samsung Account and GALAXY Apps (or Samsung Apps). Details on which versions are patched provided in our technical breakdown
  • Update the app
    Open the affected app while using a trusted network and accept the update from Samsung. Read the technical breakdown for more details.
  • Disable the app through your system settings (Android 4.0 or higher only)
    Note: patched versions will not automatically re-enable themselves. You will need to re-enable manually. Steps to disable vary by device.
  • Download a security app that informs you if you are vulnerable or secure.
    NowSecure Mobile can tell you if you have a vulnerable or a patched version, and can inform you if you have other known vulnerable apps on your device as well.

To be alerted if you’re affected, install NowSecure Mobile for Android

NowSecure Mobile is also available for iOS.

Who is Affected?

There are two vulnerable apps, each with several vulnerable versions, affecting 200+ vulnerable Samsung device models. Overall, this affects nearly 80% of Samsung devices, or about one-third of all Android devices.

What’s the Risk?

The flaws were found in two system apps that come pre-installed on many devices: Samsung Account and GALAXY Apps (sometimes shown as Samsung Apps or Samsung Updates). In both cases, an auto-update feature could enable a network attacker to install malware on the device, without action by the user.

Although most users do not directly use these affected apps, it is important to note that the update feature is automatic, and in some cases would prompt the user to install an update. Unless the user actively disables the app – they cannot normally uninstall – it would remain on the device and vulnerable to attack.

If exploited, the attacker could replace the update with a malicious apk that would be installed by the system in place of the genuine update. If the user runs the malware app, it could attempt to steal data, track activity or perform other attacks.

This remote attack affecting millions of devices requires only a network position to attack, such as being on an insecure Wi-Fi access point. Furthermore, the attack does not change from device to device, so attacker could target many kinds of Samsung phones or tablets.

This clear risk illustrates the danger posed by vulnerable apps running on personal and enterprise devices, part of the SCAN principle of mobile security.