Samsung Galaxy Note II Android 4.1.2 vulnerability

Samsung-Galaxy-2-150x150A security researcher recently found a vulnerability which allowed access to apps and the ability to dial phone numbers on the Samsung Galaxy Note II running Android 4.1.2, all when the phone is locked. The vulnerability requires a user to press the ‘Emergency Call’ icon, then the ‘in case of emergency’ button (ICE) and then hold down the home button.

The home screen is briefly displayed prior to the lock screen popping up, so as the home screen flashes, someone could touch one of the apps displayed and access it without any authentication. For someone to use this exploit would require timing, due to the short interval in which the screen is displayed and because the apps immediately go into the background. If you use a widget on your home screen (some users I know do) then this might display your emails and calendar data.

It’s not known right now whether this vulnerability is linked to just Samsung’s TouchWiz user interface. It does appear from testing we have done that most of the Galaxy range of handsets could be affected (we tested on the S3), but only those running Android 4.1.2. This is why we believe that the vanilla version (see Bootnote) of Android, which is the original Google build without any customisations, should be the only version adopted by the handset manufacturers.

The reasons for this actually quite simple…

Vanilla Android is far more robust, has better performance and have no bloatware, which is why OEM versions I’ve used such as Samsung TouchWiz on the S3 and Note II have had firmware upgrade (i.e. unexpected device reboots) and performance problems.

Did you know? Android allows the dynamic loading of code (unlike iOS), so an app could automatically download executable content.

Outside of Android 4.1.2, the “Lock screen widgets” function is also a new feature of Android Jelly Bean versions 4.2/4.2.1 where you can for example view emails and calendar preview widgets on the lock screen without actually unlocking the device (if we swipe left from screen lock. Worse still you can also delete widgets without actually unlocking the device! Some major privacy concerns here. If you value your privacy I suggest you don’t use these widgets right now.

Did you know? Google Bouncer emulates an Android device, so malware could detect the emulation mode and simply not execute. I’ve written about this on countless occasions.

Safe surfing folks!

Bootnote: Vanilla Android means the original Google build without any customisations. An example of a customisation is the Samsung Galaxy S3 which uses a TouchWiz UI.

This entry was posted in android, malware, mobile and tagged , , . Bookmark the permalink.

4 Responses to Samsung Galaxy Note II Android 4.1.2 vulnerability

  1. David Ervin says:

    Now can be done, permanently unlocking the screen until phone is rebooted. Go through the same procedure except hit the on/off button twice after hitting the home button. Screen lock is now disabled until rebooted. A fix for this needs to be found sooner rather than later.

  2. Joe Charles says:

    I bought the Note II 3 weeks ago now & like soooo many other users, have trouble in installing the KIES program to seamlessly transfer data between the Note II and MS Outlook on my PC.

    Now……! As well as having no joy with the installation or the KIES program itself, the Samsung customer service is …..
    (trying to hold back my tongue here), Non Existent!!!

    So have I made the right decision, investing in my Samsung Galaxy Note II???
    And judging by your vulnerability piece on Android 4.1.2 OS,
    Then maybe I HAVEN’T?!!!

    So PLEASE HELP ……….. PLEASE!!!!!!!!!!!!

    • Julian says:

      #Joe Charles# Kies (this includes the ‘Air’ version’) isn’t that stable for us. I suggest you use – it’s free too 🙂 and works with ICS & Jelly Bean- this syncs well with Outlook and integrates with the native Calendar. It will create Sync-Task Sync Note icons which will sync Android contacts, tasks and notes with Outlook via USB.

Leave a Reply

Your email address will not be published. Required fields are marked *