Specialists of the Portuguese company Char49 told at the DEF CON conference on a number of vulnerabilities in the Find My Mobile app, which is pre-installed on Samsung devices. As the name suggests, Find My Mobile can help you find your lost Samsung phone. You can also use the app to lock your device remotely, block access to Samsung Pay, and completely wipe your phone if it falls into the wrong hands.
Analysts at Char49 reported four vulnerabilities in Find My Mobile that could be exploited by a malicious application installed on the target device. So, to exploit the first vulnerability, the malicious application only needed access to the device's SD card. There, the malware created a file that allowed attackers to intercept communications with backend servers.
As a result, the successful exploitation of the entire chain of problems allowed malware to perform any action available to Find My Mobile, including a forced factory reset, clearing data, tracking the device's location in real time, receiving phone calls and messages, and locking and unlocking the phone.
The exploit of the researchers worked against Samsung Galaxy S7, S8 and S9 + devices until the manufacturer released patches.
Experts say the bugs were discovered over a year ago, but Samsung engineers did not fix them until late October 2019, and Char49 decided to wait an additional nine months before disclosing the details of the vulnerabilities.