14 DAY TRIAL // Two days after Google released the Android Security Bulletin for the month of June, Samsung followed suit and released its own security updates, meant to supplement Google's fixes for Samsung devices.
Back in January, Samsung started its own security bulletin, similar to Google's, but focusing on security bugs specific to its own bastard implementation of the Android OS. This security bulletin, called Security Maintenance Release (SMR), is issued every month, a few days after the official Google Android Security Bulletin.
For this month's changes, the company announced it fixed nine issues, but could only disclose details about five.
Samsung fixes device takeover issue in factory reset process
The most dangerous issue covered a bug that affected Samsung Galaxy devices running Android 5.0 and 5.1 during their factory reset process. Samsung and attackers have known about this issue since the autumn of 2015, when famous root artist RootJunky demonstrated the exploit on YouTube.
Protecting the factory reset process (FRP) is crucial for all phone manufacturers. Attackers with access to a phone can initiate a factory reset, and by bypassing this procedure, they can have access to both the phone and its owner's data.
In this particular case, Samsung says that an attacker could connect the Galaxy device to a USB OTG during the FRP wizard. This action would stop the wizard and bring up a MyFiles window that would have allowed the crook to upload an app, install it and take over the device, bypassing both the FRP and any potential device locks.
Other issues also fixed
Samsung rated this issue, SVE-2015-5068, as a high impact problem and fixed it this month. Additionally, the company also fixed another high severity issue in the signature checking process for app installations.
The company also fixed two medium severity issues, one in the email client that used DES encryption instead of 3DES, and one that allowed attackers to send AT commands via USB connections, even if the device was locked.
Last, but not least, Samsung also fixed a low severity SIM lock bypass issue that affected phones running Android 5.0 or higher.
Samsung has bundled its own security fixes together with Google's core Android patches and has delivered the security patches to its partners. It's now up to ISPs to provide these updates to clients.