Samsung’s Galaxy S6 Edge phone has 11 Zero Days, researchers said.
In a project that started for fun and then turned serious, Google’s Project Zero security team found the holes.
The project is a program started by Google, with the aim of improving overall application security by having its own top-of-the-line security experts actively search, find, report, and help fix Zero Day vulnerabilities in commonly used software.
A few months back, the Project Zero team decided to diversify their daily work routine by focusing all their efforts only on one project at a time, while also splitting into two teams (Europe vs. North America) and see which one discovered the most bugs.
The project they chose to work on was Samsung’s latest smartphone, the Galaxy S6 Edge, mainly because it has a large user base, and also deploys a modified version of Android.
Since Google had already gone over Android’s code with a fine-tooth comb, looking for bugs, its Project Zero team was trying to identify flaws introduced by Samsung when it adapted the Android OS to its custom hardware setup.
Before beginning their work, the team also set out to find a specific set of bugs, actively looking for remote exploits that granted them access to contacts, photos, and messages. Additionally, if the developers found other bugs or a way to gain device persistence, their team would win extra points.
While the contest started out for fun, after a week’s work, things got serious after researchers found 11 Zero Days, three of which were trivial to exploit.
“Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down,” said Google’s Natalie Silvanovich. “The weak areas seemed to be device drivers and media processing.”
The researchers notified Samsung of the issues, which quickly fixed 8 of them during the company’s October Maintenance Release, while the other 3 will end up fixed this month.