Zero Day Initiative contest reveals vulnerability in Samsung Galaxy NFC feature

On Wednesday, security researchers at the Mobile Pwn2Own contest in Amsterdam demonstrated a vulnerability in both the Samsung Galaxy S3 and S2. The flaw allows hackers to take advantage of the Near Field Communication (NFC) feature on the Android smartphones, beaming an exploit simply by holding two phones next to each other. The transferred file is loaded on the victim’s smartphone and automatically opened, immediately gaining full permission. The attacker now has full control of the phone and access to all SMS messages, pictures, emails, contacts information, and more. Victims unaware the attack has even occurred as all of the malicious application’s endeavors run in the background.

The hackers explained that the attack is aimed at an application used to view documents, though they would not say exactly which. In order for the attackers to use the NFC method, the phones must be very close to each other, however it only takes a brief second of connection to download the file onto the victim’s phone. This specific vulnerability can also be exploited in other ways as well, not just through an NFC connection. It could be attached in an email which is opened and instantly installed on the user’s phone.

The organizers of the competition, Zero Day Initiative (ZDI) of HP DVLabs, will release the technical details of the hack to Samsung. A patch which will fix the bug is most likely to be released shortly after

Original article by Loek Essers.
Read the full article here.