There is a severe security flaws in the 'Find My Mobile'app that comes pre-installed on Samsung Android phones which could allow remote attackers to track users' real-time location, and monitor phone calls, messages, or even delete stored data on the phone.
While the flaw can be exploited easily with severe implications for the user and could lead to permanent denial of service via phone lock, and serious privacy implication through IMEI, according to Pedro Umbelino, security researcher at Char49.
It currently affects unpatched Samsung Galaxy S7, S8, and S9+ devices, though the patch has been pushed out by Samsung after flagging the exploit as a "high impact vulnerability" to the devices; albeit most of these devices do not receive timely updates, which is perhaps another reason why Android sucks.
How the Find My Mobile app allows Remote Attackers to track users?
The "Find My Mobile" service allows users of Samsung devices to remotely locate or back up data stored on the devices to Samsung Cloud, lock their devices, wipe local data, and block access to Samsung Pay, especially when they lost their devices.
However, due to four different vulnerabilities in the app, it could have been exploited by any malicious app installed on the device, by creating a man-in-the-disk attack to snoop on the victim by hijacking communication from the backend servers. As the app frequently checks for the presence of a specific file on the device's SD card ("/mnt/sdcard/fmm.prop") to load a URL ("mg.URL"), allowing any rogue app to create this file to potentially hijack the communications with the server.
The malicious app installed on the device can make use of an exploit chain leveraging two different unprotected broadcast receivers to redirect commands to Samsung's servers from the Mobile app to server that's under their control to execute the malicious commands.
And the malicious server will also forward the request back to the legitimate server to retrieve the response, but after injecting its commands in the server responses.
How to Mitigate against the 'Find My Mobile' app Flaws
The researchers promptly reported the flaws to Samsung, and they were addressed by Samsung after flagging it as a "high impact vulnerability." Therefore, it is recommended that all users of the above mentioned Samsung devices should apply the most recent security patches sent to their phones.
While the Find My Mobile app shouldn't have arbitrary components that are publicly available and in an exported state, which if absolutely necessary, should have been protected with proper permissions and testing code that relies on public files should be eliminated altogether.