Exciting times for Galaxy flagship owners, with the excellent Android 15 upgrade due to be released in just a few weeks, alongside the launch of the new S25. The new OS brings a raft of security and privacy enhancements as Samsung narrows the gap to iPhone, some are general Android enhancements and some are specific to Samsung.
View pictures in App save up to 80% data.
One area that is still very much work in progress, though, is the painful monthly process to patch security vulnerabilities, again whether that’s across Android or is specific to Samsung. We’ve seen multiple delays in recent months, as Samsungs have lagged behind Pixels in getting critical OS fixes. The new S25 looks likely to move to Android’s seamless update process for the first time, which will help, but that won’t in itself resolve the monthly merry-go-round.
While most of the recent dangerous vulnerabilities have either related to Android’s OS or Qualcomm’s chipsets, there were some Samsung-specific critical issues patched last month. As I reported in December, one vulnerability in particular —CVE-2024-49415 — which was a Samsung memory issue was addressed to “stop potential attacks from executing remote code on Galaxy devices.” Now a Google Project Zero researcher has “unrestricted this issue,” which “shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote.”
The vulnerability involves an "out-of-bounds write" in the Monkey's Audio (APE) decoder found on the Samsung S24. Specifically, the function saped_rec within libsaped.so is responsible for writing to a dmabuf that is allocated by the C2 media service, which consistently has a size of 0x120000. Although the maximum blocksperframe value retrieved by libsapedextractor is capped at 0x120000, the saped_rec function is capable of writing beyond this limit.
In practical terms, this concerns the S24's transcription feature, which processes audio linked to an RCS message. The report cautions, “This is a completely remote (0-click) vulnerability on the Samsung S24.” It explains that “If Google Messages is set up for RCS (which is the default setting on this device), the transcription service can decode audio messages before the user even engages with the message for transcription, potentially allowing the device to be compromised.”
Forbes: Important Google Play Store Update—Avoid This Risky SettingThe vulnerability can be exploited by writing up to three-times the allowable data size, risking memory corruption and potentially leaving the advice open to a fully remote attack. A likely attack would combine this vulnerability with others, to plant malware, exfiltrate data or seek to take over a device. The write-up includes details of a demonstrable S24 attack, albeit the bug “was tested a Samsung S23 and S24 and both appear to be affected.” It was not tested on other devices.
If you have applied the security update from December, your device is protected from this vulnerability. It's a good idea to verify that your phone is running the most recent update. However, not all impacted devices may have received the update yet. Typically, newer flagship models are patched earlier in the month, but the update rollout can extend to the end of the month and occasionally even longer. Therefore, it’s important to regularly check for updates and install them as soon as they become available.
