Security vulnerability reported in Samsung's Galaxy S4

According to the Wall Street Journal, the security platform for Samsung's Galaxy S4 smartphone suffers from a vulnerability that could allow malware programs to track emails and record data communications. Researchers at Israel's Ben-Gurion University of the Negev say that earlier this month they discovered the flaw, which affects phones with the new Knox platform for government and corporate clients. 

Researcher Mordechai Guri told the Wall Street Journal that the vulnerability could allow a hacker to easily intercept secure data communications on Samsung Galaxy S4 smartphones with the Knox platform enabled. This prompted a statement from Samsung, which noted that they were looking into the claims, but maintained that "the core Knox architecture cannot be compromised or infiltrated by such malware". The Knox platform isn't preloaded on the Galaxy S4, and despite being preloaded on devices such as the Galaxy Note 3, the researchers have said that the problem only affects the S4 smartphone.

This news comes shortly after Samsung has made moves to bolster their security features, including rumors that the Galaxy S5 smartphone would feature eye-scanning technology. The phone maker, which shipped 81.2 million units in the third quarter of 2013, has been looking to increase their market share by acquiring security contracts with government and corporate entities. A spokesperson for the U.S Department of Defense stated that while the government doesn't comment on possible security vulnerabilities, no device would be used by the Pentagon until it was proven secure -- and added that while the Department of Defense purchased 500 Galaxy S4 units for testing as part of a 'pilot program', the Knox security platform for Samsung devices has not yet been approved for use on Pentagon networks.

Source: Wall Street Journal | Image via Shutterstock - Samsung Galaxy S4

Report a problem with article
Previous Story

'Halo: Spartan Assault' for Xbox One syncs progress with Windows, Windows Phone versions

Next Story

Steam Machine Review

35 Comments

Commenting is disabled on this article.

This subject matter makes me recall someone's comments that will forever hold true... regardless of the computing platform:

"If it can be coded... it can be cracked"

There is no such thing as total security. Everyone (developers & end-users) just has to keep up in plugging up the holes. A highly popular platform will naturally have a tendency to become the most vulnerable one (it's success causes it to become a bigger target).

Don't trust any phone for any type security, period!

With Google and Apple behind so many of them, who knows what's sent out or getting in, or anything? Not saying MS is any better with their phones either, but if I had to choose 1 of them for thinking I could trust them, it would be MS.

Pretty much why I don't own any type modern smart phone!!

Maybe I'm not reading this correctly, but it appears to be some malware one would have to download, just don't download it?

(Most phones come with the most used apps pre installed anyway)

Android security is especially worrisome (for me anyway) because patches are pretty much non-existent from my carrier. I have Xprivacy installed (thanks to a tip I got here) and love the control...might be useful towards some of this crap too.

i think even though knox is apparently a government feature for enhanced security, a "closed" platform built upon an open platform such as android will have holes in it where it can be compromised so its not surprising but itll get better over time

psionicinversion said,
i think even though knox is apparently a government feature for enhanced security, a "closed" platform built upon an open platform such as android will have holes in it where it can be compromised so its not surprising but itll get better over time

The problem with a broken model getting better over time, is that it will always be based on a broken model.

If Google cared about security, they would have dumped the code back around 2.x and redesigned the OS model. They didn't and to keep compatibility, it is now impossible to make these level of corrections.

Even Apple tried to pull iOS back by limiting App access and trying to contain holes, but is just more duct tape on a poorly designed security model as well.

Mobius Enigma said,

The problem with a broken model getting better over time, is that it will always be based on a broken model.


If Google cared about security, they would have dumped the code back around 2.x and redesigned the OS model. They didn't and to keep compatibility, it is now impossible to make these level of corrections.

Even Apple tried to pull iOS back by limiting App access and trying to contain holes, but is just more duct tape on a poorly designed security model as well.

yeah i suppose, but if they fixed it and that got fragmented it would be a governmental nightware to, ah thats was the s4 you need the s5 to keep it secure now... not good

I've played about with Knox on my Note 3 and while it's an interesting product it has a very limited appeal - it certainly isn't for casual users.

It's interesting that the issue only affects the S4 and not other phones, which suggests the problem isn't with Knox itself and I imagine it can be fixed with a software update.

01Michael10 said,
This post has no details about this "security vulnerability" and the WSJ article is behind a paywall. What the hell?

Android is much, much less secure than both iOS and WP.

Edited by zhangm, Dec 26 2013, 12:36am :

stevan said,

Android is much, much less secure than both iOS and WP.


How do you think these people are doing jailbreaks on iOS? Two words: Security vunerability.

stevan said,

Android is much, much less secure than both iOS and WP.

Factual source?

As with Windows users simply have more freedom, with freedom comes responsibly like in the real world.

A device is only as secure as the person using it.

iOS has had its fair share of problems, jailbroken by simply visiting a website...

Never said other platforms aren't secure. It's just that when people think security, Android is the last platform that comes to mind.

Remember Eric being laughed on stage....

stevan said,
Never said other platforms aren't secure. It's just that when people think security, Android is the last platform that comes to mind.

Remember Eric being laughed on stage....


When those people already hate Android stuff to begin...sure I might believe you.

01Michael10 said,

This post has no details about this "security vulnerability" and the WSJ article is behind a paywall. What the hell?

Go look up basic security models, like isolation, virtualization, and even object token models.

Then come back here and proclaim that Android is just as secure as WP or iOS. (iOS isn't very secure in comparison to WP either.)

WP has been around for several years and has ZERO malware, and ZERO potential exploits or entry points.


Edited by zhangm, Dec 26 2013, 12:56am :

DoDonpachi said,

Factual source?

As with Windows users simply have more freedom, with freedom comes responsibly like in the real world.

A device is only as secure as the person using it.

iOS has had its fair share of problems, jailbroken by simply visiting a website...

Yes, go read how the WP API framework is designed, that is one source. You can't in theory even make malware for WP. There is no way for end users to get tricked, there are no entry points, there is no way for an App to leave its isolation container, and on and on.

Some of the earlier Android malware was distributed through botted *nix routers that would wait for an official 'Google' App update, and slip malware into the App update, as Android didn't even do a security check of code during the update/install - and still doesn't do it properly. (There are 100s of tricks like this to get malware on Android without the end user being careless, let along all the ways by tricking the end user.)


neonspark said,
Who relies on android for security lol.

Samsung doesnt represent Android as a whole. Most likely an issue with Samsung's software. Again, not Android as a whole.

But whatever.

Mobius Enigma said,

Yes, go read how the WP API framework is designed, that is one source. You can't in theory even make malware for WP. There is no way for end users to get tricked, there are no entry points, there is no way for an App to leave its isolation container, and on and on.

Some of the earlier Android malware was distributed through botted *nix routers that would wait for an official 'Google' App update, and slip malware into the App update, as Android didn't even do a security check of code during the update/install - and still doesn't do it properly. (There are 100s of tricks like this to get malware on Android without the end user being careless, let along all the ways by tricking the end user.)


And also slip malware into the App update? Just curious do you have a link for the article? And also about the WP API framework, how is it possible that it is impossible to hack? I mean there are things that are aqble to read user data like SMS application. Can't they just read and upload the user data?

techbeck said,

Samsung doesnt represent Android as a whole. Most likely an issue with Samsung's software. Again, not Android as a whole.

But whatever.


In fact Samsung galaxy in the representative of android more than 70% of android devices people are using are Samsung galaxies. Hello?! And the security issue is due to the openness of android. Everything have a price. Price of having more software flexibility is security issues. Kinda same story with PCs. But in google's case its worse because android is getting a giant monster. I am kinda impressed that right now there aren't major security issues.

Mobius Enigma said,

Go look up basic security models, like isolation, virtualization, and even object token models.

Then come back here and proclaim that Android is just as secure as WP or iOS. (iOS isn't very secure in comparison to WP either.)

WP has been around for several years and has ZERO malware, and ZERO potential exploits or entry points.


Windows Phone is like the Mac of the smartphone world. No one cares enough to make a virus for it.

SharpGreen said,

Windows Phone is like the Mac of the smartphone world. No one cares enough to make a virus for it.

Well that just about covers all the bases, then doesn't it?

Either Android is just as secure as everybody else (but it's just SO POPULAR so it's targeted more!),

Or it's less secure (but OH WELL because personal responsibility and freedom!)

Or there are too many forks to even talk about security in the first place (this is just Samsung not Google!!!)

With all possible angles covered, there's no reason to ever feel like Android has any flaws at all, right? It's the perfect product for fanboys! If anything goes wrong, it's either not its fault, only a problem for stupid people, or a blessing in disguise.

tanjiajun_34 said,

And also slip malware into the App update? Just curious do you have a link for the article? And also about the WP API framework, how is it possible that it is impossible to hack? I mean there are things that are aqble to read user data like SMS application. Can't they just read and upload the user data?

Let me be clear, I didn't say that it is IMPOSSIBLE, just highly unlikely.

WP was designed based on the latest security model theories. In the future, there may be new approaches to malware that can get past the protections.

However, in contrast Android and iOS are based on very old security models that are already vulnerable to KNOWN exploits and malware.

It is a bit like NT itself, it was a secure and well designed OS model using the latest OS and security models of the time in 1991/1992. As time passed and new ways to circumvent security were developed, it became as vulnerable as other OSes; especially in new openings that were made to the upper layer WinSxS subsystem.

Because NT had a strong security model, the lower levels of the OS were able to extend to counter newer attacks. The upper layer WinSxS subsystem still has to use virtualization and other newer technologies to regain a credible level of security.

Windows 7/8 are fairly secure because of NT, but the WinSxS will always have vulnerabilities based on how Applications are allowed to run. This is why WinRT was developed to replace Win32, as it enforces principles that WP introduced based on the same set of security theories.

There has also been Zero malware in WinRT to date as well; however, that doesn't mean it will always be impossible. It does mean, that like WP, WinRT was designed to not be subject to known security issues or current malware concepts.


As for an article about using Android updates to inject malware, I'm don't have a quick link. This was something that was discovered by a couple of carriers in the US, like Verizon and was also demonstrated at various white hat meetings.

Edited by Mobius Enigma, Dec 25 2013, 11:02am :

trojan_market said,

In fact Samsung galaxy in the representative of android more than 70% of android devices people are using are Samsung galaxies.

No... Samsung Galaxies do not represent 70% of Android phones in use today.

Last quarter... Samsung only had about 32% of smartphone sales... and quarter prior to that they had roughly 40%

But there is no possible way the Samsung Galaxy makes up 70% of the smartphone market. You are mistaken.

Samsung may the be largest *single* smartphone vendor by volume... but non-Samsung Android phones outnumber Samsung and their Galaxy phones in particular.

SharpGreen said,

Windows Phone is like the Mac of the smartphone world. No one cares enough to make a virus for it.

How about Windows 8's WinRT that is designed on similar security technologies as WP application framework?

There are more people running Windows 8 than are running Macs.

WinRT has zero malware to date, just like WP, it is NOT JUST about popularity.

There are theories, models, and engineered ways to design how an OS handles code and Apps. This is the difference.

Android and iOS use older models that are ALREADY exposed to currently known malware attacks. WP and WinRT are not impervious, but they are designed to not be susceptible to known security exploits. (This is a rather complex subject, but even if you just pick through how isolation and sandbox technologies work, there is a reason WP and WinRT are less likely to be compromised.)

SharpGreen said,

Windows Phone is like the Mac of the smartphone world. No one cares enough to make a virus for it.

Quite the opposite is true. People do care because it's a maleware free phone OS. Our company is ready to dumb iOS and Android for WP8.1 with better server integration.

trojan_market said,

In fact Samsung galaxy in the representative of android more than 70% of android devices people are using are Samsung galaxies. Hello?!

Yes, I know. That wasnt the point. The point was this is Samsung's software that is causing the problem. People always associate Google/Android when it isnt an Android problem. Just because the phone runs Android, doesnt mean that is the problem. OEMS like Samsung out a ton of extra crap on their phones. Its like saying it is Toyota's fault for having faulty tires. Tires are made by someone else and attach to the car...just like Samsungs GUI is made by them at attaches to Android.

This is a Samsung issue and if it was related to all Android devices, it would be much bigger news.

Joshie said,

With all possible angles covered, there's no reason to ever feel like Android has any flaws at all, right? It's the perfect product for fanboys! If anything goes wrong, it's either not its fault, only a problem for stupid people, or a blessing in disguise.

Android has plenty of faults...like anything else out there. But this isnt an Android issue or else the topic would read "Security Vulnerability Reported In All Android Phones"

I am not disputing there is a problem here...it is just annoying when people think Samsung and then assume Android. This was bound to catch up to Samsung considering how heavily modded their UI is.

techbeck said,

Android has plenty of faults...like anything else out there. But this isnt an Android issue or else the topic would read "Security Vulnerability Reported In All Android Phones"

I am not disputing there is a problem here...it is just annoying when people think Samsung and then assume Android. This was bound to catch up to Samsung considering how heavily modded their UI is.

I agree with almost everything you say here.

The only problem is the comments above that rush to defend Android as being just as secure as WP/iOS or claiming that all OSes have the same level of security issues.

You are right, this is not a general Android problem; however, if Android had a stronger security design model, this software wouldn't be able to expose the security vulnerability. i.e. It would be nearly impossible to introduce this type of vulnerability on WP, no matter what Samsung or Nokia added to the OS. This is the only exception that makes it 'somewhat' an Android issue in a more general context.