Multiple Samsung Specific Modifications to Android Leading to Permission Bypasses

We discussed this vulnerability during Episode 167 on 14 November 2022

Oversecured pointed their code-scanning tool at discovering issues in vendor patches to the Android System APIs and found a number of places where Samsung introduces vulnerabilities.

  1. The BackupManagerService’s isBackupEnabled() method in stock Android would perform a android.permission.BACKUP check before returning. Samsung simply added a semIsBackupEnabled() method which does the same but skips the permission check.
  2. The StorageManagerService added support for a broadcast action ( that could be sent by any application and would reboot the device without any permission check.
  3. Inside of Settings application as it handles intends, an application can include a boolean from_search_trampoline. Which would then startup the specified activity. As the Settings application runs as System user, they can startup non-exposed activities from any application.