close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text

Security Updates

We truly appreciate the following security researchers for helping us improve the security of our mobile applications, wearable devices and personal computers. We would like to thank them for disclosing the vulnerability reports responsibly and working with us throughout the process.

Please note that while we are doing our best to release the security patches as soon as possible to all applicable devices and services, release time of security patches may vary depending on the device version and models or service versions.


Android Application Updates


SVE-2021-23918 (CVE-2022-28789): Unprotected activities in Voice Note

Severity: Moderate
Resolved Version: 21.3.51.11
Reported on: November 11, 2021
Description: Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction.
The patch adds proper permission for vulnerable activities.
Acknowledgement: Rahul Kankrale


SVE-2022-0763 (CVE-2022-28790): Improper authentication in Link to Windows Service

Severity: Moderate
Resolved Version: 2.3.04.1
Reported on: March 27, 2022
Description: Improper authentication in Link to Windows Service prior to version 2.3.04.1 allows attacker to lock the device.
The patch adds proper caller signature check logic.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2022-0817 (CVE-2022-28791): Improper input validation in Galaxy Store

Severity: Moderate
Resolved Version: 4.5.41.8
Reported on: April 1, 2022
Description: Improper input validation vulnerability in Install Agent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path.
The patch adds proper protection to prevent overwrite to existing files.
Acknowledgement: Dawn Security Lab, JDcom



PC Updates


SVE-2022-0539 (CVE-2022-28792): DLL hijacking vulnerability in Gear IconX PC Manager

Severity: Moderate
Resolved Version: 2.1.220405.51
Reported on: March 9, 2022
Description: DLL hijacking vulnerability in Gear IconX PC Manager prior to version 2.1.220405.51 allows attacker to execute arbitrary code.
The patch adds proper absolute path to prevent dll hijacking.
Acknowledgement: Soojin Cho of DNSLab, Korea University



Other Software Updates


SVE-2021-23587 (CVE-2022-28793): Improper state maintenance in Strong Box

Severity: Moderate
Resolved Version: Galaxy S22
Reported on: October 14, 2022
Description: Given the TEE is compromised and controlled by the attacker, improper state maintenance in Strong Box allows attackers to change Android ROT during device boot cycle after compromising TEE.
The patch is applied in Galaxy S22 to prevent change of Android ROT after first initialization at boot time.
Acknowledgement: Federico Menarini and Martijn Bogaard of Riscure



Android Application Updates


SVE-2021-23930 (CVE-2022-27838): Improper access control in Factory Camera

Severity: High
Resolved Version: 2.1.96
Reported on: November 14, 2021
Description: Improper access control vulnerability in Factory Camera prior to version 2.1.96 allows attacker to access the file with system privilege.
Acknowledgement: Luke Symons


SVE-2021-23993 (CVE-2022-27839): Improper authentication vulnerability in Secret Mode in Samsung Internet

Severity: Moderate
Resolved Version: 16.2.1
Reported on: December 22, 2021
Description: Improper authentication vulnerability in Secret Mode in Samsung Internet prior to version 16.2.1 allows attackers to access bookmark tab without proper credentials.
Acknowledgement: Harsh Tyagi


SVE-2021-24297 (CVE-2022-27841): A vulnerability that view the screen that is previously running in Samsung Pass without authentication

Severity: Moderate
Resolved Version: 3.0.07.5
Reported on: December 17, 2021
Description: Improper exception handling in Samsung Pass prior to version 3.7.07.5 allows physical attacker to view the screen that is previously running without authentication
Acknowledgement: Harsh Tyagi


SVE-2022-0117 (CVE-2022-28542): Possible to access arbitrary content providers as Galaxy Store permission

Severity: High
Resolved Version: 4.5.40.5
Reported on: January 12, 2022
Description: Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local attackers to access privileged content providers as Galaxy Store permission.
Acknowledgement: hluwa


SVE-2022-0269 (CVE-2022-28543): Path traversal vulnerability in Samsung Flow

Severity: Moderate
Resolved Version: 4.8.07.4
Reported on: February 2, 2022
Description: Path traversal vulnerability in Samsung Flow prior to version 4.8.07.4 allows local attackers to read arbitrary files as Samsung Flow permission.
Acknowledgement: 남지효


SVE-2022-0358 (CVE-2022-28544): Path traversal vulnerability in Galaxy store

Severity: Moderate
Resolved Version: 4.5.40.5
Reported on: February 14, 2022
Description: Path traversal vulnerability in unzip method of InstallAgentCommonHelper in Galaxy store prior to version 4.5.40.5 allows attacker to access the file of Galaxy store.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2021-23625 (CVE-2022-28775): Improper access control in Samsung Flow

Severity: Moderate
Resolved Version: 4.8.06.5
Reported on: October 19, 2021
Description: Improper access control vulnerability in Samsung Flow prior to version 4.8.06.5 allows attacker to write the file without Samsung Flow permission.
Acknowledgement: Ken Gannon 


SVE-2021-23627 (CVE-2022-28776): Improper access control vulnerability in Galaxy Store

Severity: High
Resolved Version: 4.5.36.4
Reported on: October 16, 2021
Description: Improper access control vulnerability in Galaxy Store prior to version 4.5.36.4 allows attacker to install applications from Galaxy Store without user interactions.
Acknowledgement: Ken Gannon


SVE-2021-23786 (CVE-2022-28777): Improper access control in Samsung Members

Severity: Moderate
Resolved Version: 13.6.08.5
Reported on: November 2, 2021
Description: Improper access control vulnerability in Samsung Members prior to version 13.6.08.5 allows local attacker to execute call function without CALL_PHONE permission.
Acknowledgement: Zhongquan Li 


SVE-2021-23853 (CVE-2022-1230): Redirect Navigation Confused Vulnerability

Severity: Moderate
Resolved Version: 4.5.40.5
Reported on: November 5, 2021
Description: Synchronization issue during navigation process with browser and renderer prior to version 4.5.40.5 allows attacker to access unauthorized URLs on Webview.
Acknowledgement: Sam Thomas of Pentest Ltd


PC Updates


SVE-2022-0082 (CVE-2022-27842): DLL hijacking vulnerability in Smart Switch PC

Severity: Moderate
Resolved Version: 4.2.22022_4
Reported on: January 7, 2022
Description: DLL hijacking vulnerability in Smart Switch PC prior to version 4.2.22022_4 allows attacker to execute arbitrary code.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


SVE-2022-0083 (CVE-2022-27843): DLL hijacking vulnerability in Kies

Severity: Moderate
Resolved Version: 2.6.4.22014_2
Reported on: January 7, 2022
Description: DLL hijacking vulnerability in Kies prior to version 2.6.4.22014_2 allows attacker to execute arbitrary code.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


SVE-2022-0115 (CVE-2022-28541): Uncontrolled search path element vulnerability in Samsung Update

Severity: Moderate
Resolved Version: 3.0.77.0
Reported on: January 12, 2022
Description: Uncontrolled search path element vulnerability in Samsung Update prior to version 3.0.77.0 allows attackers to execute arbitrary code as Samsung Update permission.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


SVE-2021-24074 (CVE-2022-27840): Possible to delete arbitrary files as Samsung Recovery permission

Severity: Moderate
Resolved Version: 8.1.43.0
Reported on: December 29, 2021
Description: Improper access control vulnerability in Samsung Recovery prior to version 8.1.43.0 allows local attackers to delete arbitrary files as Samsung Recovery permission.
Acknowledgement: doit_man


SVE-2021-24075 (CVE-2022-28778): Improper access control vulnerability in Samsung Security Supporter

Severity: Moderate
Resolved Version: 1.2.40.0
Reported on: November 30, 2021
Description: Improper access control vulnerability in Samsung Security Supporter prior to version 1.2.40.0 allows attacker to set the arbitrary folder as Secret Folder without Samsung Security Supporter permission
Acknowledgement: doit_man 


SVE-2021-24333 (CVE-2022-28779): Uncontrolled search path element vulnerability in Samsung Android USB Driver windows installer program

Severity: Low
Resolved Version: 1.7.50
Reported on: December 18, 2021
Description: Uncontrolled search path element vulnerability in Samsung Android USB Driver windows installer program prior to version 1.7.50 allows attacker to execute arbitrary code.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University



Android Application Updates

SVE-2021-23764 (CVE-2022-25823): Information Exposure vulnerability in Galaxy Watch Plugin

Severity: Moderate
Resolved Version: 2.2.05.220126741
Reported on: November 1, 2021
Description: Information Exposure vulnerability in Galaxy Watch Plugin prior to version 2.2.05.220126741 allows attackers to access user information in log
Acknowledgement: Andr. Ess


SVE-2021-23693 (CVE-2022-25824): Improper access control vulnerability in Bixby Touch

Severity: High
Resolved Version: 2.2.00.6
Reported on: October 25, 2021
Description: Improper access control vulnerability in BixbyTouch prior to version 2.2.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
Acknowledgement: Dawuge of Pangu Team


SVE-2021-23600 (CVE-2022-25825): Improper access control vulnerability in Samsung Account

Severity: High
Resolved Version: 13.1.0.1
Reported on: October 16, 2021
Description: Improper access control vulnerability in Samsung Account prior to version 13.1.0.1 allows attackers to access to the authcode for sign-in.
Acknowledgement: Josip Franjkovic


SVE-2022-0441 (CVE-2022-25826, CVE-2022-25827, CVE-2022-25828, CVE-2022-25829, CVE-2022-25830): Information Exposure vulerability in Galaxy Watch Plugin

Severity: Moderate
Resolved Version: Galaxy S3 PlugIn 2.2.03.22012751, Galaxy Watch PlugIn 2.2.05.22012751, Watch Active PlugIn 2.2.07.22012751, Watch Active2 PlugIn 2.2.08.22012751 and Galaxy Watch3 Plugin 2.2.09.22012751
Reported on: January 8, 2022
Description: Information Exposure vulnerability in Galaxy Watch Plugin prior to versions 2.2.03.22012751 in Galaxy S3 PlugIn , 2.2.05.22012751 in Galaxy Watch PlugIn, 2.2.07.22012751 in Watch Active PlugIn , 2.2.08.22012751 Watch Active2 PlugIn and 2.2.09.22012751 in Galaxy Watch3 Plugin allows attacker to access password information of connected WiFiAp in the log.
Acknowledgement: Andr. Ess



Android Application Updates


SVE-2021-23428 (CVE-2022-23433): Improper access control vulnerability in Reminder

Severity: Low
Resolved Version: 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10)
Reported on: October 01, 2021
Description: Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remotely.
Acknowledgement: Gabriel Campana


SVE-2021-23614 (CVE-2022-23434): Vulnerability using PendingIntent in Bixby Vision

Severity: Moderate
Resolved Version: 3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below
Reported on: October 17, 2021
Description: Vulnerability using PendingIntent in Bixby Vision prior to versions 3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below allows attackers to execute privileged action by hijacking and modifying the intent.
Acknowledgement: h0rd7


SVE-2021-22979 (CVE-2022-24002): Improper Authorization vulnerability in Link Sharing

Severity: Low
Resolved Version: 12.4.00.3
Reported on: August 16, 2021
Description: Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity.
Acknowledgement: Dawuge of Pangu Team


SVE-2021-23281 (CVE-2022-24003): Exposure of Sensitive Information vulnerability in Bixby Vision

Severity: Moderate
Resolved Version: 3.7.50.6
Reported on: September 17, 2021
Description: Exposure of Sensitive Information vulnerability in Bixby Vision prior to version 3.7.50.6 allows attackers to access internal data of Bixby Vision via unprotected intent.
Acknowledgement: Sergey Toshin


SVE-2021-23092 (CVE-2022-23998): Improper access control vulnerability in Camera

Severity: High
Resolved Version: 11.1.02.16 in Android R(11), 10.5.03.77 in Android Q(10) and 9.0.6.68 in Android P(9)
Reported on: August 30, 2021
Description: Improper access control vulnerability in Camera prior to versions 11.1.02.16 in Android R(11), 10.5.03.77 in Android Q(10) and 9.0.6.68 in Android P(9) allows untrusted applications to take a picture in screenlock status.
Acknowledgement: Rahul Kankrale


SVE-2021-23694 (CVE-2022-24923): Improper access control vulnerability in Search Widget

Severity: High
Resolved Version: 2.3.00.6
Reported on: October 25, 2021
Description: Improper access control vulnerability in Samsung Search Widget prior to versions 2.3.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
Acknowledgement: Dawuge of Pangu Team


SVE-2021-23494 (CVE-2022-24926): Improper input validation vulnerability in SmartTag Plugin

Severity: High
Resolved Version: 1.2.15-6
Reported on: October 07, 2021
Description: Improper input validation vulnerability in SmartTag Plugin prior to version 1.2.15-6 allows privileged attackers to trigger a XSS on a victim's devices.
Acknowledgement: Martin Heyden


SVE-2021-22646 (CVE-2022-24927): Improper privilege management vulnerability in Samsung Video Player

Severity: Moderate
Resolved Version: 7.3.15.30
Reported on: July 30, 2021
Description: Improper privilege management vulnerability in Samsung Video Player prior to version 7.3.15.30 allows attackers to execute video files without permission.
Acknowledgement: Dawuge of Pangu Team



PC Updates

SVE-2021-24089 (CVE-2022-24924): Improper access control vulnerability in LiveWallpaperService

Severity: Low
Resolved Version: 3.0.9.0
Reported on: November 30, 2021
Description: An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission.
Acknowledgement: Hee-Chan Kim



Other Software Updates


SVE-2021-22370 (CVE-2022-24001): Information disclosure vulnerability in Edge Panel

Severity: Moderate
Resolved Version: Android S(12)
Reported on: June 29, 2021
Description: Information disclosure vulnerability in Edge Panel prior to Android S(12) allows physical attackers to access screenshot in clipboard via Edge Panel.
Acknowledgement: chae


SVE-2021-21467 (CVE-2022-24925): Improper input validation vulnerability in SettingsProvider

Severity: Moderate
Resolved Version: Android S(12)
Reported on: April 14, 2021
Description: Improper input validation vulnerability in SettingsProvider prior to Android S(12) allows privileged attackers to trigger a permanent denial of service attack on a victim's devices.
Acknowledgement: WuHeng Lab of Bytedance



Android Application Updates


SVE-2021-22590 (CVE-2022-22283): Account is not logged out in Samsung health Android App after Remove from inactive device

Severity: Low
Resolved Version: 6.20.1.005
Reported on: July 10, 2021
Description: Improper session management vulnerability in Samsung Health prior to 6.20.1.005 prevents logging out from Samsung Health App.
Acknowledgement: Rohit Kumar


SVE-2021-23292 (CVE-2022-22284): Authentication bypass in Samsung browser secret mode

Severity: Low
Resolved Version: 16.0.2.19
Reported on: October 19, 2021
Description: Improper authentication vulnerability in Samsung Internet prior to 16.0.2.19 allows attackers to bypass secret mode password authentication
Acknowledgement: Harsh Tyagi


SVE-2021-23607 (CVE-2022-22285): Hijack the PendingIntent containing Implicit Intent in the Reminder app to read Contacts

Severity: Moderate
Resolved Version: 12.2.05.0 in Android R(11.0) and 12.3.02.1000 in Android S(12.0)
Reported on: October 17, 2021
Description: A vulnerability using PendingIntent in Reminder prior to version 12.2.05.0 in Android R(11.0) and 12.3.02.1000 in Android S(12.0) allows attackers to execute privileged action by hijacking and modifying the intent.
Acknowledgement: h0ard7


SVE-2021-23608 (CVE-2022-22286): Hijack the PendingIntent containing Implicit Intent in the Bixby Routines app to read Contacts

Severity: Moderate
Resolved Version: 3.1.21.8 in Android R(11.0) and 2.6.30.5 in Android Q(10.0)
Reported on: October 17, 2021
Description: A vulnerability using PendingIntent in Bixby Routines prior to version 3.1.21.8 in Android R(11.0) and 2.6.30.5 in Android Q(10.0) allows attackers to execute privileged action by hijacking and modifying the intent.
Acknowledgement: h0ard7


SVE-2021-23749 (CVE-2022-22287): Abitrary file access vulnerability in Samsung Email

Severity: Moderate
Resolved Version: 6.1.60.16
Reported on: October 29, 2021
Description: Arbitrary file access vulnerability in Samsung Email prior to 6.1.60.16 allows attacker to read isolated data in sandbox.
Acknowledgement: Dzmitry Lukyanenka


SVE-2021-23791 (CVE-2022-22288): Remote app installation vulnerability in Galaxy Store

Severity: Critical
Resolved Version: 4.5.36.5
Reported on: November 3, 2021
Description: Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installation of the allowlist.
Acknowledgement: Ken Gannon


SVE-2021-23888 (CVE-2022-22289): Sensitive information disclosure in S Assistant

Severity: Moderate
Resolved Version: 7.5
Reported on: November 9, 2021
Description: Improper access control vulnerability in S Assistant prior to version 7.5 allows attacker to remotely get sensitive information.
Acknowledgement: hongquan Li @ ADLab of VenusTech


SVE-2021-23944 (CVE-2022-22290): Incorrect UI in Downloads in Samsung Browser

Severity: Moderate
Resolved Version: 16.0.6.23
Reported on: November 15, 2021
Description: Incorrect UI in Downloads in Samsung Internet prior to 16.0.6.23 allows attackers to perform domain spoofing via a crafted HTML page.
Acknowledgement: Kirtikumar Anandrao Ramchandani