180 vulnerabilities in
Samsung preinstalled apps

180 vulnerabilities in
Samsung preinstalled apps

Over three years of security research into Samsung's preinstalled system applications, Oversecured identified 180 vulnerabilities —  the largest mobile security disclosures in history. All issues were responsibly disclosed and patched by Samsung.

Over three years of security research into Samsung's preinstalled system applications, Oversecured identified 180 vulnerabilities —  the largest mobile security disclosures in history. All issues were responsibly disclosed and patched by Samsung.

Contains documentation

for all findings

Contains documentation

for all findings

180

180

Vulnerabilities discovered

Vulnerabilities discovered

100%

100%

Patched by Samsung

Patched by Samsung

$200K+

$200K+

Bug bounty awarded

Bug bounty awarded

#1

#1

Samsung Hall of Fame

Samsung Hall of Fame

The unmapped attack surface

When security researchers examine mobile threats, attention typically focuses on malicious apps or vulnerabilities in the Android core. The vendor customization layer — proprietary software manufacturers add to differentiate their devices — receives far less scrutiny.

Preinstalled system applications run with extra privileges than normal apps, cannot be removed by users, and operate outside Google Play Protect. A single vulnerability affects hundreds of millions of devices globally through one vendor's distribution channel.

Unlike third-party applications subject to Google Play Store vetting, preinstalled vendor apps operate with elevated system privileges, cannot be uninstalled by users, and receive minimal scrutiny from the security community.

"The Android ecosystem runs on two parallel security systems. AOSP core receives intensive scrutiny from Google and the open-source community. Vendor modifications — the custom layer every manufacturer adds — receive almost none."

"The Android ecosystem runs on two parallel security systems. AOSP core receives intensive scrutiny from Google and the open-source community. Vendor modifications — the custom layer every manufacturer adds — receive almost none."

"The Android ecosystem runs on two parallel security systems. AOSP core receives intensive scrutiny from Google and the open-source community. Vendor modifications — the custom layer every manufacturer adds — receive almost none."

Preinstalled app threat properties

Preinstalled app threat properties

Privelege level

Extra privileges

User removable

No — requires rooting

Persists after factory reset

Yes

Global device coverage

20–25% market share

Trusted by security software

Yes

All reported issues patched

100%

"This disclosure follows Oversecured's 2024 research into Xiaomi devices, which identified 20+ vulnerabilities with similar patterns. Combined, these findings represent over 200 critical vulnerabilities discovered across two major Android vendors in three years — indicating industry-wide architectural gaps rather than vendor-specific oversights."

"This disclosure follows Oversecured's 2024 research into Xiaomi devices, which identified 20+ vulnerabilities with similar patterns. Combined, these findings represent over 200 critical vulnerabilities discovered across two major Android vendors in three years — indicating industry-wide architectural gaps rather than vendor-specific oversights."

"This disclosure follows Oversecured's 2024 research into Xiaomi devices, which identified 20+ vulnerabilities with similar patterns. Combined, these findings represent over 200 critical vulnerabilities discovered across two major Android vendors in three years — indicating industry-wide architectural gaps rather than vendor-specific oversights."

Vulnerability categories

The 180 vulnerabilities span six primary exploit categories. Each class represents a systemic architectural weakness — not a one-off coding mistake.

The 180 vulnerabilities span six primary exploit categories. Each class represents a systemic architectural weakness — not a one-off coding mistake.

Category

Description

Primary Impact

Vulnerability IDs

System Privilege Escalation

Exploiting services running as UID 1000 (system) to execute arbitrary code or overwrite files.

Complete Device Compromise

145, 149, 150, 156, 166, 177

PendingIntent Hijacking

Intercepting mutable tokens to execute actions within the context of the creator.

Context Spoofing / Data Access

167, 178, 179, 180

Intent Redirection

Using a privileged app as a proxy to launch protected internal components.

Access Control Bypass

151, 160, 163, 158, 165

Implicit IPC Leakage

Broadcasting sensitive data to the public intent bus without restricting receivers.

Information Disclosure

152, 173, 174, 159, 170, 168, 175, SVE-2023-1112, SVE-2023-0760, SVE-2023-0928

Broadcast Spoofing & Exposure

Sending or receiving broadcasts without permission checks.

State Manipulation / Data Leak

147, 157, 162, 164, 171, 176, 146

Logic & Configuration Flaws

Design errors in specific features or cloud backends.

Denial of Service / Privacy Loss

148, 153, 154, 155, 161, 169, 172

All 180 vulnerabilities. 140 vulnerabilities are documented with full technical descriptions. 40 vulnerabilities are disclosed as CVE identifiers. View full list on GitHub

All 180 vulnerabilities. 140 vulnerabilities are documented with full technical descriptions. 40 vulnerabilities are disclosed as CVE identifiers. View full list on GitHub

Selected critical findings

Complete attack chains assembled exclusively from preinstalled app vulnerabilities. Each was responsibly disclosed and patched by Samsung.

Complete attack chains assembled exclusively from preinstalled app vulnerabilities. Each was responsibly disclosed and patched by Samsung.

Finding 01

FactoryCamera

FactoryCamera

Finding 02

SmartThings

SmartThings

Finding 03

WifiServiceImpl

WifiServiceImpl

Finding 04

DualOutFocusViewer

DualOutFocusViewer

Finding 05

DeX for PC

DeX for PC

Finding 06

ThemeManager

ThemeManager

com.sec.factory.camera

01 Silent Camera and Microphone Access

A debug app shipped on production devices with system privileges. An unprotected broadcast receiver accepts test commands. Any app can trigger it to start recording video — no permission prompt, no camera indicator, video saved to accessible storage.

com.sec.factory.camera

01 Silent Camera and Microphone Access

A debug app shipped on production devices with system privileges. An unprotected broadcast receiver accepts test commands. Any app can trigger it to start recording video — no permission prompt, no camera indicator, video saved to accessible storage.

com.samsung.android.oneconnect

02 Remote Samsung Account Takeover

A deep link (sendable via SMS or email) triggers the app to load an attacker-controlled URL in an embedded WebView. JavaScript interfaces expose the user's Samsung Account tokens to any loaded JS code via McsBridge.getAuthInfo(). The attack required only a single click.

com.samsung.android.oneconnect

02 Remote Samsung Account Takeover

A deep link (sendable via SMS or email) triggers the app to load an attacker-controlled URL in an embedded WebView. JavaScript interfaces expose the user's Samsung Account tokens to any loaded JS code via McsBridge.getAuthInfo(). The attack required only a single click.

Samsung Android Framework

03 Network Traffic Hijacking via DNS Manipulation

Samsung's custom Wi-Fi stack exposed semAddPublicDnsAddr() — accessible to any app with zero permissions. An attacker injects a malicious DNS server that redirects all DNS queries from all apps on the device. No user notification of any kind.

Samsung Android Framework

03 Network Traffic Hijacking via DNS Manipulation

Samsung's custom Wi-Fi stack exposed semAddPublicDnsAddr() — accessible to any app with zero permissions. An attacker injects a malicious DNS server that redirects all DNS queries from all apps on the device. No user notification of any kind.

com.samsung.android.app.dofviewer

04 Arbitrary Code Execution via Crafted Image

A malicious app delivers a specially crafted JPEG. When the victim opens it, the app copies attacker-controlled native libraries from the SD card and loads them via System.load() without signature verification. Code executes with zero permissions required.

com.samsung.android.app.dofviewer

04 Arbitrary Code Execution via Crafted Image

A malicious app delivers a specially crafted JPEG. When the victim opens it, the app copies attacker-controlled native libraries from the SD card and loads them via System.load() without signature verification. Code executes with zero permissions required.

com.sec.android.app.dexonpc

05 Unauthorized Screen Capture

The screen mirroring discovery service was exported without permissions. A malicious app on the same Wi-Fi network calls startScan(), discovers the attacker's laptop, and calls connect() — the device's entire screen streams silently without user interaction.

com.sec.android.app.dexonpc

05 Unauthorized Screen Capture

The screen mirroring discovery service was exported without permissions. A malicious app on the same Wi-Fi network calls startScan(), discovers the attacker's laptop, and calls connect() — the device's entire screen streams silently without user interaction.

com.samsung.android.themecenter

06 Arbitrary File Write with System Privileges

The ThemeManager app, running with system privileges, contained a path traversal vulnerability. The app allowed writing arbitrary files to the file system without proper path validation, enabling attackers to overwrite files in protected system directories.

com.samsung.android.themecenter

06 Arbitrary File Write with System Privileges

The ThemeManager app, running with system privileges, contained a path traversal vulnerability. The app allowed writing arbitrary files to the file system without proper path validation, enabling attackers to overwrite files in protected system directories.

The economics of mobile exploitation

The economics of mobile exploitation

Preinstalled app vulnerabilities provide comparable capabilities at near-zero operational cost, affecting 20-25% of the global smartphone market share.

Preinstalled app vulnerabilities provide comparable capabilities at near-zero operational cost, affecting 20-25% of the global smartphone market share.

Traditional full-chain exploit

$1.5M

Zerodium public listing for Android full-chain exploits

  • Requires purchasing a browser exploit for initial access

  • Then chaining additional exploits to achieve full system control

Preinstalled app vulnerabilities

~0.00$

Near-zero operational cost

  • Operate with elevated system privileges (UID 1000)

  • System-level access survives factory resets

  • Remain trusted by security software

  • Affects 20–25% of the global smartphone market share

  • Cannot be uninstalled without rooting the device

Four repeating patterns

Four repeating patterns

These weren't random bugs. The same architectural weaknesses appeared across Samsung and Xiaomi devices and across multiple research cycles. The pattern is systemic.

These weren't random bugs. The same architectural weaknesses appeared across Samsung and Xiaomi devices and across multiple research cycles. The pattern is systemic.

Forgotten Debug Interfaces

Multiple vulnerabilities stemmed from debug and testing applications (FactoryCamera, Configuration Update) that shipped on production devices with system privileges and no access controls.

Unsafe Inter-Process Communication

Exported services and broadcast receivers frequently lacked permission checks, allowing privilege escalation from unprivileged apps.

Path Traversal in System Apps

Multiple instances of unsafe file path handling in system-privileged applications enabled arbitrary file access.

Insecure WebView Configurations

JavaScript interfaces exposed sensitive APIs to untrusted web content loaded via deep links.

Three years
of coordinated
disclosure

Three years of coordinated disclosure

2022

Initial Research

Two Weeks, 17 Vulnerabilities

Oversecured conducted a two-week research on Samsung's system app security, resulting in the discovery of 17 vulnerabilities. Samsung patched all findings.

2022

2022–2025

Full Research Cycle

180 Vulnerabilities, 100% Patched

Between 2022 and 2025, Oversecured discovered and responsibly disclosed 180 vulnerabilities in Samsung preinstalled system applications. Samsung patched all reported issues and compensated the research team with over $200,000 in bug bounty rewards.

2022–2025

" A sophisticated attacker doesn’t need a million-dollar zero-day when a forgotten debug app ships on 500 million devices. These vulnerabilities offer persistent system-level access, silent camera control, DNS hijacking, and they're already trusted by the OS. For cyber-espionage, that’s perfect: persistent, privileged, invisible, and impossible to remove.

" A sophisticated attacker doesn’t need a million-dollar zero-day when a forgotten debug app ships on 500 million devices. These vulnerabilities offer persistent system-level access, silent camera control, DNS hijacking, and they're already trusted by the OS. For cyber-espionage, that’s perfect: persistent, privileged, invisible, and impossible to remove.

Sergey Toshin · Founder, Oversecured · #1 Google Play Security Researcher

Sergey Toshin · Founder, Oversecured · #1 Google Play Security Researcher

Are you protected?

All 180 vulnerabilities were patched through regular Samsung security updates distributed between 2022 and 2025. Users with the current Android Security Patch Level are protected from all reported vulnerabilities.

Patched

Patched

All Samsung devices

+100M

Devices affected
(pre-patch)

+100M

Devices affected
(pre-patch)

+100M

Devices affected
(pre-patch)

20+

20+

Vulnerabilities identified
by Xiaomi research

2022–2025

2022–2025

Distribution timeline
of security updates

Watch Oversecured find real vulnerabilities in your app

Watch Oversecured find real vulnerabilities
in your app

Watch Oversecured find real vulnerabilities
in your app

Book a demo and see taint analysis, authenticated scanning, and exploit-backed checks in action.

Book a demo and see taint analysis, authenticated scanning, and exploit-backed checks in action.