# Responsible disclosure report: 180 vulnerabilities in Samsung preinstalled apps

Over three years of security research into Samsung’s preinstalled system applications, Oversecured identified 180 vulnerabilities — the largest single mobile security disclosure in history. All issues were responsibly disclosed and patched by Samsung.

## The problem

### The unmapped attack surface

When security researchers examine mobile threats, attention typically focuses on malicious apps or vulnerabilities in the Android core. The vendor customization layer — proprietary software manufacturers add to differentiate their devices — receives far less scrutiny.

Preinstalled system applications run with system-level privileges (UID 1000), cannot be removed by users, and operate outside Google Play Protect. A single vulnerability affects hundreds of millions of devices globally through one vendor’s distribution channel.

Unlike third-party applications subject to Google Play Store vetting, preinstalled vendor apps operate with elevated system privileges, cannot be uninstalled by users, and receive minimal scrutiny from the security community.

The Android ecosystem runs on two parallel security systems. AOSP core receives intensive scrutiny from Google and the open-source community. Vendor modifications — the custom layer every manufacturer adds — receive almost none.

## Preinstalled app threat properties

PropertyPreinstalled app characteristicsPrivilege levelUID 1000 (System)User removableNo — requires rootingPersists after factory resetYesGlobal device coverage20–25% market shareTrusted by security softwareYesAll reported issues patched✓ 100%

## By the numbers

### Vulnerability categories

The 180 vulnerabilities span six primary exploit categories. Each class represents a systemic architectural weakness — not a one-off coding mistake.

**180** Total vulnerabilities ·

**2022–2025**

## Selected findings

### Selected critical findings

Complete attack chains assembled exclusively from preinstalled app vulnerabilities. Each was responsibly disclosed and patched by Samsung.

**Finding 01 · FactoryCamera · `com.sec.factory.camera`**

Silent Camera and Microphone Access

A debug app shipped on production devices with system privileges. An unprotected broadcast receiver accepts test commands. Any app can trigger it to start recording video — no permission prompt, no camera indicator, video saved to accessible storage.

**Finding 02 · SmartThings · `com.samsung.android.oneconnect`**

Remote Samsung Account Takeover

A deep link (sendable via SMS or email) triggers the app to load an attacker-controlled URL in an embedded WebView. JavaScript interfaces expose the user’s Samsung Account tokens to any loaded JS code via `McsBridge.getAuthInfo()`. The attack required only a single click.

**Finding 03 · WifiServiceImpl · Samsung Android Framework**

Network Traffic Hijacking via DNS Manipulation

Samsung’s custom Wi-Fi stack exposed `semAddPublicDnsAddr()` — accessible to any app with zero permissions. An attacker injects a malicious DNS server, redirecting all DNS queries from all apps on the device. No user notification of any kind.

**Finding 04 · DualOutFocusViewer · `com.samsung.android.app.dofviewer`**

Arbitrary Code Execution via Crafted Image

A malicious app delivers a specially crafted JPEG. When the victim opens it, the app copies attacker-controlled native libraries from the SD card and loads them via `System.load()` without signature verification. Code executes with zero permissions required.

**Finding 05 · DeX for PC · `com.sec.android.app.dexonpc`**

Unauthorized Screen Capture

The screen mirroring discovery service was exported without permissions. A malicious app on the same Wi-Fi network calls `startScan()`, discovers the attacker’s laptop, and calls `connect()` — the device’s entire screen streams silently without user interaction.

**Finding 06 · ThemeManager · `com.samsung.android.themecenter`**

Arbitrary File Write with System Privileges

The ThemeManager app, running with system privileges, contained a path traversal vulnerability. The app allowed writing arbitrary files to the file system without proper path validation, enabling attackers to overwrite files in protected system directories.

## Why this matters

### The economics of mobile exploitation

Preinstalled app vulnerabilities provide comparable capabilities at near-zero operational cost, affecting 20-25% of the global smartphone market share.

Zerodium public listing for Android full-chain exploits

– Requires purchasing a browser exploit for initial access
– Then chaining additional exploits to achieve full system control

Near-zero operational cost

– Operate with elevated system privileges (UID 1000)
– System-level access survives factory resets
– Remain trusted by security software
– Affects 20–25% of the global smartphone market share
– Cannot be uninstalled without rooting the device

## Systemic risk assessment

### Four repeating patterns

These weren’t random bugs. The same architectural weaknesses appeared across Samsung and Xiaomi devices and across multiple research cycles. The pattern is systemic.

### Forgotten Debug Interfaces

Multiple vulnerabilities stemmed from debug and testing applications (FactoryCamera, Configuration Update) that shipped on production devices with system privileges and no access controls.

### Unsafe Inter-Process Communication

Exported services and broadcast receivers frequently lacked permission checks, allowing privilege escalation from unprivileged apps.

### Path Traversal in System Apps

Multiple instances of unsafe file path handling in system-privileged applications enabled arbitrary file access.

### Insecure WebView Configurations

JavaScript interfaces exposed sensitive APIs to untrusted web content loaded via deep links.

## Research timeline

### Three years of coordinated disclosure

Every vulnerability was responsibly disclosed to Samsung. Samsung patched all reported issues and compensated the research team with over $200,000 in bug bounty rewards.

**180** vulnerabilities patched ·

**$200K+** total awarded ·

**#1** Samsung Hall of Fame ·

**100%** patch rate

> A sophisticated attacker doesn’t need a million-dollar zero-day when a forgotten debug app ships on 500 million devices. These vulnerabilities offer persistent system-level access, silent camera control, DNS hijacking, and they’re already trusted by the OS. For cyber-espionage, that’s perfect: persistent, privileged, invisible, and impossible to remove.

## User protection status

### Are you protected?

All 180 vulnerabilities were patched through regular Samsung security updates distributed between 2022 and 2025. Users with the current Android Security Patch Level are protected from all reported vulnerabilities.

✓ All 180 vulnerabilities patched through regular Samsung security updates distributed between 2022 and 2025.

CoverageStatusSamsung devicesAll patched ✓Distribution timeline2022–2025 security updatesDevices affected (pre-patch)Hundreds of millionsXiaomi companion research20+ vulnerabilities identified

## Don’t wait for a disclosure

### The same gaps exist in your apps

The vulnerability patterns found in Samsung preinstalled apps – unsafe IPC, insecure WebViews, path traversal in privileged components – appear in mobile banking, fintech, and enterprise apps every day. Oversecured finds them before attackers do. Start with a free scan.

We will send you an email containing them.

Thank you for reaching out

An email with the requested files will be sent to the email address you provided shortly.

# Your message was sent. Thank you!

Our specialists will contact you soon.

# Protect your apps today!

It can be challenging to keep track of security issues that appear daily during the app development process. Drop us a line and we’ll help you automate this process internally, saving tons of resources with Oversecured.