A new vulnerability has discovered in Find My Mobile app that comes pre-installed in most of the Samsung phones that could allow hackers to remotely track victims’ real-time location and also monitor messages and phone calls and even delete the data on the victim’s phone.
Find My Mobile is an application that helps you to locate your phone and protect your data, this app comes pre-installed in most of the Samsung devices.
According to findings of a Portugal-based cybersecurity services provider Char49 in Samsung’s Find My Mobile Android app at the DEF CON conference that was held last week.
This flaw, after setup, can be easily exploited and with severe implications for the user and with a potentially catastrophic impact: permanent denial of service via phone lock, complete data loss with a factory reset (SD card included), serious privacy implication via IMEI and location tracking as well as call and SMS log access
Char49’s Pedro Umbelino said to The Hacker News
The vulnerability was successfully exploited Samsung Galaxy S7, S8, and S9+ and Samsung have addressed it as a high impact vulnerability.
According to the cybersecurity firm, there were four different vulnerabilities present in the app that can be exploited by a remote attacker and can create a man-in-the-middle attack and hijack the communication from the backend servers.
The first vulnerability that was present was that the app checks for the existence of a file “/sdcard/fmm.prop” and load two properties from its “mg.url” and “dive.url”, thus allowing a malicious to create this file and effectively change the URL endpoints to maliciously communicate with the backend server.
By pointing the MG URL to an attacker-controlled server and forcing the registration, the attacker can get many details about the user: coarse location via the IP address, IMEI, device brand, backup apps, API level, and several other information
Umbelino said
To successfully exploit this there were 3 broadcast receivers that were not protected to redirect the malicious commands sent to Samsung’s server from Find My Mobile app to another server that was controlled by hackers and execute malicious commands.
The server takes the command as a legitimate command and responds back.
By successfully doing this an attacker can track victims’ real-time location and also monitor messages and phone calls and even delete the data on the victim’s phone.
The FMM application should not have arbitrary components publicly available and in an exported state
Umbelino said