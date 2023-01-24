Smartphones are the centerpiece of many of our lives. We converse with loved ones, plan our days, and organize our lives through them. They're a tool that can be argued to be an extension of ourselves, which is why mobile security is such a big deal. That's why when an exploit like XDA Senior Member K0mraid3's comes along and grants a user complete system access on pretty much any Samsung smartphone, it's a big deal.

Of course, there are benefits to these things in the hands of an end-user who likes to modify and play with their smartphones. Greater system access allows users to do things like boot a GSI or change their device's CSC. However, because this grants the user a UID of 1000 (which is the system's access), it can also be used in dangerous ways. It bypasses all permissions checks, can access all app components, send protected broadcasts, launch activities in the background, and so much more.

If you want to try the exploit out to see what you can change in your system, we have a tutorial available that shows you exactly how to do that. If you're interested in the history behind this exploit and how it works, though, then keep reading. We spoke to K0mraid3 and asked him how it works, and he gave us the entire history from start to finish of how this exploit from 2019 affects every Samsung smartphone, including flagships from 2022.

Samsung's Text-to-Speech (TTS) application is where this problem originates

Way back in 2019, a vulnerability with CVE CVE-2019-16253 was reported to affect Samsung's TTS engine in versions prior to 3.0.02.7. This exploit allowed for a local attacker to escalate privileges to system privileges and was later patched and fixed.

Essentially, Samsung's TTS app would blindly accept any data that it received from the TTS engine. You can pass the TTS engine a library that will then be given to the TTS application, which in turn will then load that library and execute it with system privileges. This was later patched so that the TTS app would verify the data coming from the engine, closing this particular loophole.

However, with Android 10, Google introduced the ability to rollback an application by installing it with the ENABLE_ROLLBACK parameter. This allows the user to revert a version of an app installed on the device to a previous version of the app installed on the device. Komraid3 says that he believes an "oversight" has allowed this to extend to Samsung's text-to-speech application on any Samsung device currently in the wild, as the older TTS app that users are able to downgrade to on newer Samsung phones has never been installed on them before now.

(Update: 01/24/23 @ 15:05) The cause of this bug would actually appear to be because of the '-d' flag added to the adb command when installing the older TTS application. It should only work for debuggable apps, but it works for non-debuggable applications as well according to Esper, and that is why the TTS app can be downgraded forcefully.

In other words, while the exploit in 2019 was fixed and an updated version of the TTS app was distributed, it's trivial for users to install and exploit it on devices released three (and perhaps four) years later.

Samsung has known about the problem since October 2022

What's scariest about this particular exploit is not the level of access that it grants, but the fact that Samsung was made aware of October 7th, 2022. K0mraid3 tells me that he reached out to Samsung in January again to follow up and find out what was happening to it, only to be told that it was a problem with AOSP and to make an official Google report. Interestingly, Samsung also states that the problem has been confirmed on a Google Pixel smartphone.

Email sent to K0mraid3 from Samsung.

K0mraid3 went to report it to Google and found that both Samsung and another research had already reported it to Google. This other researcher reported it shortly after Samsung did. We currently cannot access these bug reports, as they are marked as private on Google's issue tracker. K0mraid3 shared emails from both Google and Samsung confirming the existence of these bug reports.

It's unclear how Google will approach fixing this issue if it is indeed an AOSP problem.

What can users do to protect themselves?

As K0mraid3 says in his XDA forum post, the best way for users to protect themselves is to set up this exploit and use it themselves. Once you do, no other user can load a second library into the TTS engine. Alternatively, you can also disable or remove Samsung TTS.

At the moment, it's unclear if this affects devices released in 2023, and we'll be curious to see if it affects the upcoming Samsung Galaxy S23 series. As well, K0mraid3 mentions that some Joint Development Manufacturing (JDM) devices (such as the Samsung Galaxy A03) may have issues. They might just require a correctly signed TTS app from an older JDM device, but it's unclear currently.

We've reached out to both Google and Samsung for comment, and we'll be sure to update this article if we hear back.

Thanks XDA Senior Member K0mraid3 for your valuable input into this article!