Developer’s Root Exploit Opens Door to Some Samsung Phones

In the past few days, developers on the XDA-Developers forum have discovered a new root exploit for recent Samsung phones. Normally a root exploit is a good thing for advanced users; they can modify their OS to improve performance, install new and rare apps, or even patch bugs. On the other hand, novice and uninformed users can have their phones targeted by attackers looking to reduce security and steal money or personal data. Malware writers have previously taken exploits written by the legitimate rooting community and repackaged them along with their malware to gain absolute control of a victim’s device.

XDA-Developers member alephzain discovered the vulnerability and created an exploit. A second forum member, Chainfire, packaged the exploit into an app that installed the exploit and rooted vulnerable phones. The app was later modified to disable the vulnerability to prevent an attacker from entering your phone.

Chainfire’s app makes rooting a Samsung phone easier for users.

How the exploit works
The vulnerability involves how the Exynos processor is used on certain Samsung phones (for example, the Galaxy S2). It is possible to access the entirety of physical memory through the OS. Usually this is limited to the root user, but in this case that memory is accessible by any user program.

The exploit uses this physical memory access to patch a system function in memory, bypassing the security and user controls in place. This lets the exploit gain root access on the phone. Once an attacker has root access, the entire phone is open.

Already exploited? Not maliciously
With such an open vulnerability in the wild, one might think that malware authors would be rushing to weaponize the exploit. Fortunately only Chainfire has done so, with this mobile rooting app. Currently knowledgeable phone “modders” can download and install this app to root their phones. And so can attackers, intent on stealing your personal data or money.

To protect against the latter situation, we detect the most recent versions of Chainfire’s tool as Android/ExynosToor.A-B, and alephzain’s exploit as Exploit/ExymemBrk.A.