article featured image


Several critical security flaws have been disclosed in Samsung’s pre-installed Android apps, which, if successfully exploited, could allow threat actors to take control of the devices and access users’ personal data without their consent.

The vulnerabilities were discovered and reported by Oversecured founder Sergey Toshin in February 2021. In an analysis published on Thursday, Toshin stated that

The impact of these bugs could have allowed an attacker to access and edit the victim’s contacts, calls, SMS/MMS, install arbitrary apps with device administrator rights, or read and write arbitrary files on behalf of a system user which could change the device’s settings.

These vulnerabilities could have led to a GDPR violation, and we are delighted that we could help Samsung identify and fix these vulnerabilities in a timely manner.


Following the reveal, Samsung issued security patches as part of its April and May security updates. Below you can see a list of the seven vulnerabilities:

  • CVE-2021-25356 – Third-party authentication bypass in Managed Provisioning;
  • CVE-2021-25388 – Arbitrary app installation vulnerability in Knox Core;
  • CVE-2021-25390 – Intent redirection in PhotoTable;
  • CVE-2021-25391 – Intent redirection in Secure Folder;
  • CVE-2021-25392 – Possible to access notification policy file of DeX;
  • CVE-2021-25393 – Possible to read/write access to arbitrary files as a system user (affects the Settings app);
  • CVE-2021-25397 – Arbitrary file write in TelephonyUI.

According to Toshin, the impact of these flaws means that threat actors could exploit them to install arbitrary third-party apps, grant the device admin privileges to delete other installed applications or steal sensitive files, read or write arbitrary files as a system user, and even execute privileged actions.

Toshin received $5,460 for letting Samsung know about CVE-2021-25393, a vulnerability impacting their Settings app. The flaw gave hackers access to arbitrary files as an actual system user.

He got another $4,850 from February’s batch of bugs that allowed creating arbitrary files disguised as a Telephony user who can access SMS and call details.

In total, he received almost $30,000 since the beginning of 2021 for disclosing 14 issues within the South Korean tech giant devices’ systems.

Samsung recommends device owners apply the company’s latest firmware updates to avoid any potential security risks.

Author Profile

Cezarina Dinu

Head of Marketing Communications & PR

linkedin icon

Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo