The unmapped attack surface
When security researchers examine mobile threats, attention typically focuses on malicious apps or vulnerabilities in the Android core. The vendor customization layer — proprietary software manufacturers add to differentiate their devices — receives far less scrutiny.
Preinstalled system applications run with extra privileges than normal apps, cannot be removed by users, and operate outside Google Play Protect. A single vulnerability affects hundreds of millions of devices globally through one vendor's distribution channel.
Unlike third-party applications subject to Google Play Store vetting, preinstalled vendor apps operate with elevated system privileges, cannot be uninstalled by users, and receive minimal scrutiny from the security community.
Privelege level
Extra privileges
User removable
No — requires rooting
Persists after factory reset
Yes
Global device coverage
20–25% market share
Trusted by security software
Yes
All reported issues patched
100%
Vulnerability categories
Category
Description
Primary Impact
Vulnerability IDs
System Privilege Escalation
Exploiting services running as UID 1000 (system) to execute arbitrary code or overwrite files.
Complete Device Compromise
145, 149, 150, 156, 166, 177
PendingIntent Hijacking
Intercepting mutable tokens to execute actions within the context of the creator.
Context Spoofing / Data Access
167, 178, 179, 180
Intent Redirection
Using a privileged app as a proxy to launch protected internal components.
Access Control Bypass
151, 160, 163, 158, 165
Implicit IPC Leakage
Broadcasting sensitive data to the public intent bus without restricting receivers.
Information Disclosure
152, 173, 174, 159, 170, 168, 175, SVE-2023-1112, SVE-2023-0760, SVE-2023-0928
Broadcast Spoofing & Exposure
Sending or receiving broadcasts without permission checks.
State Manipulation / Data Leak
147, 157, 162, 164, 171, 176, 146
Logic & Configuration Flaws
Design errors in specific features or cloud backends.
Denial of Service / Privacy Loss
148, 153, 154, 155, 161, 169, 172
Selected critical findings
Finding 01
Finding 02
Finding 03
Finding 04
Finding 05
Finding 06
Traditional full-chain exploit
$1.5M
Zerodium public listing for Android full-chain exploits
Requires purchasing a browser exploit for initial access
Then chaining additional exploits to achieve full system control
Preinstalled app vulnerabilities
~0.00$
Near-zero operational cost
Operate with elevated system privileges (UID 1000)
System-level access survives factory resets
Remain trusted by security software
Affects 20–25% of the global smartphone market share
Cannot be uninstalled without rooting the device
Forgotten Debug Interfaces
Multiple vulnerabilities stemmed from debug and testing applications (FactoryCamera, Configuration Update) that shipped on production devices with system privileges and no access controls.
Unsafe Inter-Process Communication
Exported services and broadcast receivers frequently lacked permission checks, allowing privilege escalation from unprivileged apps.
Path Traversal in System Apps
Multiple instances of unsafe file path handling in system-privileged applications enabled arbitrary file access.
Insecure WebView Configurations
JavaScript interfaces exposed sensitive APIs to untrusted web content loaded via deep links.
Initial Research
Two Weeks, 17 Vulnerabilities
Oversecured conducted a two-week research on Samsung's system app security, resulting in the discovery of 17 vulnerabilities. Samsung patched all findings.
Full Research Cycle
180 Vulnerabilities, 100% Patched
Between 2022 and 2025, Oversecured discovered and responsibly disclosed 180 vulnerabilities in Samsung preinstalled system applications. Samsung patched all reported issues and compensated the research team with over $200,000 in bug bounty rewards.

Are you protected?
All 180 vulnerabilities were patched through regular Samsung security updates distributed between 2022 and 2025. Users with the current Android Security Patch Level are protected from all reported vulnerabilities.
All Samsung devices
Vulnerabilities identified
by Xiaomi research
Distribution timeline
of security updates








