Over three years of security research into Samsung’s preinstalled system applications, Oversecured identified 180 vulnerabilities — the largest single mobile security disclosure in history. All issues were responsibly disclosed and patched by Samsung.
180
Vulnerabilities discovered
The problem
The unmapped attack surface
When security researchers examine mobile threats, attention typically focuses on malicious apps or vulnerabilities in the Android core. The vendor customization layer — proprietary software manufacturers add to differentiate their devices — receives far less scrutiny.
Preinstalled system applications run with system-level privileges (UID 1000), cannot be removed by users, and operate outside Google Play Protect. A single vulnerability affects hundreds of millions of devices globally through one vendor’s distribution channel.
Unlike third-party applications subject to Google Play Store vetting, preinstalled vendor apps operate with elevated system privileges, cannot be uninstalled by users, and receive minimal scrutiny from the security community.
The Android ecosystem runs on two parallel security systems. AOSP core receives intensive scrutiny from Google and the open-source community. Vendor modifications — the custom layer every manufacturer adds — receive almost none.
Preinstalled app threat properties
| Property | Preinstalled app characteristics |
|---|---|
| Privilege level | UID 1000 (System) |
| User removable | No — requires rooting |
| Persists after factory reset | Yes |
| Global device coverage | 20–25% market share |
| Trusted by security software | Yes |
| All reported issues patched | ✓ 100% |
By the numbers
Vulnerability categories
The 180 vulnerabilities span six primary exploit categories. Each class represents a systemic architectural weakness — not a one-off coding mistake.
180 Total vulnerabilities · 2022–2025
Selected findings
Selected critical findings
Complete attack chains assembled exclusively from preinstalled app vulnerabilities. Each was responsibly disclosed and patched by Samsung.
Finding 01 · FactoryCamera · com.sec.factory.camera
Silent Camera and Microphone Access
A debug app shipped on production devices with system privileges. An unprotected broadcast receiver accepts test commands. Any app can trigger it to start recording video — no permission prompt, no camera indicator, video saved to accessible storage.
Finding 02 · SmartThings · com.samsung.android.oneconnect
Remote Samsung Account Takeover
A deep link (sendable via SMS or email) triggers the app to load an attacker-controlled URL in an embedded WebView. JavaScript interfaces expose the user’s Samsung Account tokens to any loaded JS code via McsBridge.getAuthInfo(). The attack required only a single click.
Finding 03 · WifiServiceImpl · Samsung Android Framework
Network Traffic Hijacking via DNS Manipulation
Samsung’s custom Wi-Fi stack exposed semAddPublicDnsAddr() — accessible to any app with zero permissions. An attacker injects a malicious DNS server, redirecting all DNS queries from all apps on the device. No user notification of any kind.
Finding 04 · DualOutFocusViewer · com.samsung.android.app.dofviewer
Arbitrary Code Execution via Crafted Image
A malicious app delivers a specially crafted JPEG. When the victim opens it, the app copies attacker-controlled native libraries from the SD card and loads them via System.load() without signature verification. Code executes with zero permissions required.
Finding 05 · DeX for PC · com.sec.android.app.dexonpc
Unauthorized Screen Capture
The screen mirroring discovery service was exported without permissions. A malicious app on the same Wi-Fi network calls startScan(), discovers the attacker’s laptop, and calls connect() — the device’s entire screen streams silently without user interaction.
Finding 06 · ThemeManager · com.samsung.android.themecenter
Arbitrary File Write with System Privileges
The ThemeManager app, running with system privileges, contained a path traversal vulnerability. The app allowed writing arbitrary files to the file system without proper path validation, enabling attackers to overwrite files in protected system directories.
Why this matters
The economics of mobile exploitation
Preinstalled app vulnerabilities provide comparable capabilities at near-zero operational cost, affecting 20-25% of the global smartphone market share.
Traditional full-chain exploit
$1.5M
Zerodium public listing for Android full-chain exploits
- Requires purchasing a browser exploit for initial access
- Then chaining additional exploits to achieve full system control
Preinstalled app vulnerabilities
Near-zero
Near-zero operational cost
- Operate with elevated system privileges (UID 1000)
- System-level access survives factory resets
- Remain trusted by security software
- Affects 20–25% of the global smartphone market share
- Cannot be uninstalled without rooting the device
Systemic risk assessment
Four repeating patterns
These weren’t random bugs. The same architectural weaknesses appeared across Samsung and Xiaomi devices and across multiple research cycles. The pattern is systemic.
Forgotten Debug Interfaces
Multiple vulnerabilities stemmed from debug and testing applications (FactoryCamera, Configuration Update) that shipped on production devices with system privileges and no access controls.
Unsafe Inter-Process Communication
Exported services and broadcast receivers frequently lacked permission checks, allowing privilege escalation from unprivileged apps.
Path Traversal in System Apps
Multiple instances of unsafe file path handling in system-privileged applications enabled arbitrary file access.
Insecure WebView Configurations
JavaScript interfaces exposed sensitive APIs to untrusted web content loaded via deep links.
Research timeline
Three years of coordinated disclosure
Every vulnerability was responsibly disclosed to Samsung. Samsung patched all reported issues and compensated the research team with over $200,000 in bug bounty rewards.
180 vulnerabilities patched · $200K+ total awarded · #1 Samsung Hall of Fame · 100% patch rate
A sophisticated attacker doesn't need a million-dollar zero-day when a forgotten debug app ships on 500 million devices. These vulnerabilities offer persistent system-level access, silent camera control, DNS hijacking, and they're already trusted by the OS. For cyber-espionage, that's perfect: persistent, privileged, invisible, and impossible to remove.
User protection status
Are you protected?
All 180 vulnerabilities were patched through regular Samsung security updates distributed between 2022 and 2025. Users with the current Android Security Patch Level are protected from all reported vulnerabilities.
✓ All 180 vulnerabilities patched through regular Samsung security updates distributed between 2022 and 2025.
| Coverage | Status |
|---|---|
| Samsung devices | All patched ✓ |
| Distribution timeline | 2022–2025 security updates |
| Devices affected (pre-patch) | Hundreds of millions |
| Xiaomi companion research | 20+ vulnerabilities identified |
Don’t wait for a disclosure
The same gaps exist in your apps
The vulnerability patterns found in Samsung preinstalled apps - unsafe IPC, insecure WebViews, path traversal in privileged components - appear in mobile banking, fintech, and enterprise apps every day. Oversecured finds them before attackers do. Start with a free scan.