close

Samsung Mobile Security
Cookie Policy

Updated on May 1, 2021

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 1000 Hillswood Drive, Chertsey, Surrey KT16 0PS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text

Security Updates

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – January 2022 package. The Bulletin (January 2022) contains the following CVE items:

Critical
CVE-2021-30275, CVE-2021-30276

High
CVE-2021-30270, CVE-2021-30279, CVE-2021-30278, CVE-2021-30269, CVE-2021-30283, CVE-2021-1918, CVE-2021-30274, CVE-2021-30272, CVE-2021-30282, CVE-2021-30271, CVE-2021-1894, CVE-2020-11263, CVE-2021-33909, CVE-2021-30337, CVE-2021-30335, CVE-2021-30262, CVE-2021-30267, CVE-2021-30293, CVE-2021-30273, CVE-2021-30289, CVE-2021-30268, CVE-2021-30336, CVE-2021-30303, CVE-2020-0368, CVE-2021-0971, CVE-2021-39630, CVE-2021-39632, CVE-2020-0338, CVE-2021-39623, CVE-2021-39620, CVE-2021-39626, CVE-2021-39629, CVE-2021-0643, CVE-2021-39628, CVE-2021-39659

Moderate
CVE-2021-0961, CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, CVE-2021-0673

Already included in previous updates
: None

Not applicable to Samsung devices
CVE-2021-30351, CVE-2021-0675, CVE-2021-0904, CVE-2021-38204, CVE-2021-39618, CVE-2021-39621, CVE-2021-39622, CVE-2021-39625, CVE-2021-39627


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 19 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR January-2022 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-23353 (CVE-2022-22263): Arbitrary activity start in SecSettings

Severity: Moderate
Affected versions: Select R(11.0) devices
Reported on: September 24, 2021
Disclosure status: Privately disclosed.
Unprotected dynamic receiver in SecSettings prior to SMR Jan-2022 Release 1 allows untrusted applications to launch arbitrary activity.
The patch adds a proper permission for dynamic receiver.


SVE-2021-23054 (CVE-2022-22264): Arbitrary file access vulnerability in Dressroom

Severity: High
Affected versions: Q(10.0), R(11.0), S(12.0)
Reported on: August 25, 2021
Disclosure status: Privately disclosed.
Improper sanitization of incoming intent in Dressroom prior to SMR Jan-2022 Release 1 allows local attackers to read and write arbitrary files without permission.
The patch sanitizes incoming Intent before using it.


SVE-2021-23365 (CVE-2022-22265): Use-After-Free bug in NPU driver

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0), S(12.0) devices with selected Exynos chipsets
Reported on: September 25, 2021
Disclosure status: Privately disclosed.
An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release 1 allows arbitrary memory write and code execution.
The patch adds proper check of exceptional conditions logic to prevent Use-After-Free.


SVE-2021-23023 (CVE-2022-22266): Wifi scan result leak via the exported TencentWifiSecurity service

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: August 20, 2021
Disclosure status: Privately disclosed.
(Applicable to China models only) Unprotected WifiEvaluationService in TencentWifiSecurity application prior to SMR Jan-2022 Release 1 allows untrusted applications to get WiFi information without proper permission.
The patch adds proper protection to prevent unintended access by other applications.


SVE-2021-23088 (CVE-2022-22267): Implicit Intent hijacking in ActivityMetricsLogger

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0), S(12.0)
Reported on: August 29, 2021
Disclosure status: Privately disclosed.
Implicit Intent hijacking vulnerability in ActivityMetricsLogger prior to SMR Jan-2022 Release 1 allows attackers to get running application information.
The patch changes implicit Intent to explicit Intent to prevent unprivileged access to running application information.


SVE-2021-23254 (CVE-2022-22268): Temporary bypass of Knox Guard via Samsung DeX

Severity: High
Affected versions: P(9.0), Q(10.0), R(11.0), S(12.0)
Reported on: September 14, 2021
Disclosure status: Privately disclosed.
Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode.
The patch blocks Samsung DeX mode when KnoxGuard locked.


SVE-2021-23364 (CVE-2022-22269): Local Bluetooth MAC address leak

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: September 25, 2021
Disclosure status: Privately disclosed.
Keeping sensitive data in unprotected BluetoothSettingsProvider prior to SMR Jan-2022 Release 1 allows untrusted applications to get a local Bluetooth MAC address.
The patch removes a local Bluetooth MAC address from the unprotected provider.


SVE-2021-23422 (CVE-2022-22270): Contacts information leak via hijacking implicit intent

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: September 30, 2021
Disclosure status: Privately disclosed.
An implicit Intent hijacking vulnerability in Dialer prior to SMR Jan-2022 Release 1 allows unprivileged applications to access contact information.
The patch changes implicit Intent to explicit Intent to prevent unprivileged access to contact.


SVE-2021-23664 (CVE-2022-22271): Arbitrary pointer dereference in TIMA TA

Severity: High
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: October 21, 2021
Disclosure status: Privately disclosed.
A missing input validation before memory copy in TIMA trustlet prior to SMR Jan-2022 Release 1 allows attackers to copy data from arbitrary memory.
The patch adds proper input check not to allow arbitrary memory access.


SVE-2021-23486 (CVE-2022-22272): Improper authorization in TelephonyManager

Severity: Moderate
Affected versions: Q(10.0), R(11.0), S(12.0)
Reported on: October 6, 2021
Disclosure status: Privately disclosed.
Improper authorization in TelephonyManager prior to SMR Jan-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PERMISSION
The patch modified with proper permission.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Dawn Security Lab, JD.com: SVE-2021-23353, SVE-2021-23054
Seonung Jang of STEALIEN: SVE-2021-23365
XiaGuangshuai in Wuheng Lab of ByteDance.: SVE-2021-23023, SVE-2021-23088, SVE-2021-23364, SVE-2021-23486
양성조: SVE-2021-23254
TerrorBlade: SVE-2021-23422
Sergei Volokitin: SVE-2021-23664