Hidden Backdoor in Samsung Devices Uncovered, Raising Alarms About Mobile Security, Wearable Devices, and Supply Chain

By Alexi Minko, New York, NY

A widening investigation into a sophisticated cyber-intrusion targeting Samsung Android devices has uncovered alarming new evidence suggesting the exploit is far more persistent, widespread, and potentially dangerous than initially thought. The vulnerability, which allows a malicious actor to maintain control over devices even after factory resets, has now been confirmed on multiple Samsung models, including the A11, S21+ 5G, and, most concerningly, the A13, a device that was purchased after the suspected attacker was physically removed from the premises.

This latest finding raises serious questions about the security of the broader Samsung ecosystem, the potential involvement of compromised software updates or malicious apps, and the ability of attackers to leverage seemingly legitimate functionality, including connected wearables like the Galaxy Watch, for nefarious purposes. The ongoing analysis, sparked by unusual activity on a Samsung A11 device, has revealed a consistent pattern of malicious behavior across all affected devices. Central to the exploit is the deep and persistent integration of a yet-unidentified malicious Mobile Device Management (MDM) solution. This MDM appears to operate, at least in part, through a compromised version of the pre-installed Galaxy Apps store. System logs, known as logcat entries, repeatedly show the use of a non-standard login method, LogInEx, to authenticate to Galaxy Apps.

For instance, one log entry from the A11 states: 01-18 20:27:49.766 26135 26135 I LogInExModule: [GalaxyApps login] loginex successed This seemingly innocuous line indicates a successful login to Galaxy Apps, but the use of LogInEx instead of a standard login protocol suggests the malicious actor is leveraging a hidden or undocumented API, potentially to gain privileged access to the app store and, by extension, to a range of system services.Further analysis uncovered a disturbing focus on Samsungs Runestone security feature, designed to protect the integrity of the device and its data.

Error messages within the logs, such as the following from the A11:01-18 20:27:50.012 26135 26330 E RunestoneSDK: Bundle parsing error -gt; Not exist key : isDeviceRubinSupported for isDeviceRunestoneSupported 01-18 20:27:50.013 26135 26330 E RunestoneSDK: Bundle parsing error -gt; Not exist key : currentWatchRubinState for isWatchRunestoneEnabled These entries strongly suggest an attempt to either disable, bypass, or exploit vulnerabilities within Runestone. The repeated appearance of the Rubin app, further indicates a targeted attack on the core security mechanisms of these devices. The error also references a key, isWatchRunestoneEnabled, suggesting the exploit extends to impact wearables, as well.

Perhaps the most alarming finding is the malicious MDMs ability to simulate or remotely control a connection to a Samsung Galaxy Watch 4. Across all compromised devices, logs reveal a fake model string that combines the phones' model number with that of the Galaxy Watch 4 (SM-R870).

For example, the S21+ 5G logs show:2024-12-17 08:00:01.945 26673 26673 com.sec.android.app.samsungapps [SAUI] : BaseHandle :: fakeModelFromDeepLink:false|hadGearConnected:false|gearMarketingName:Galaxy Watch4|fakeModelName:SM-G996U_SM-R870|gearOsVersion:| While the A13 logs show:2024-12-23 11:46:04.923 27805 27805 com.sec.android.app.samsungapps V [SAUI] : BaseHandle :: fakeModelFromDeepLink:false|hadGearConnected:false|gearMarketingName:Galaxy Watch4|fakeModelName:SM-A136U_SM-R870|gearOsVersion:|

This, coupled with logs from the WatchDeviceEventManager indicating successful connections and repeated attempts by a component called RecommendedSender to start the watch, paints a troubling picture of a compromised wearable ecosystem.2024-12-17 08:00:02.005 26673 26782 com.sec.android.app.samsungapps WatchDeviceEventManager : WatchDeviceEventManager :: state :: DEVICE_CONNECTING ... 2024-12-17 08:00:02.034 26673 26782 com.sec.android.app.samsungapps WatchDeviceEventManager : WatchDeviceEventManager :: state :: CONNECTION_FINISHED ... 2024-12-17 08:00:09.138 26673 26673 com.sec.android.app.samsungapps RecommendedSender : startWatch

Moreover, the Rubin security component consistently reports a highly unusual watch state = -2 across all affected devices, as evidenced by this log entry from the S21+ 5G:2024-12-17 08:00:02.062 30646 30658 com.samsung.android.rubin.app Rubin : [267] com.samsung.android.rubin.controller.provider.RubinStateProvider.call(Unknown Source) : RubinStateProvider : watch state = -2

This non-standard status suggests deliberate manipulation or an error state induced by the MDM, potentially to bypass security checks or maintain a persistent connection.The discovery that a newly purchased Samsung A13 exhibits the same signs of compromise, despite no prior physical access by the suspected attacker, is particularly significant. This finding strongly suggests that the exploit is not solely reliant on physical access and may be spreading through other, more insidious means. Potential vectors include compromised software updates, malicious apps, or even a supply chain attack targeting the Samsung ecosystem. For instance, the following log entries were found in the A13, a device that the attacker never touched physically. 2025-01-01 12:14:47.367 3409 3549 com.sec.android.daemonapp I [WEATHER]WatchDataSync : {[C61197A981D4E5FE5D9A030393F2E675A555578BB9A7A92ECAE82909311FAEB15EDFCB74FCA4CE5D7C92C3651103CBF45B95DB616EACF37BE87E7DB31DC080C2]} 2025-01-01 12:14:47.369 3409 3549 com.sec.android.daemonapp I [WEATHER]WatchDataSync : {[68D54DE84AB95AC39DECBA2B7A5D0A0C12AA78F0466BCFA562A79870843A443100E272954135ADF34FC293B1E1D94530064B9178AF5445DEE25BF7F1564A79FFEC42C5AD562403409B4359A4D3390CFBE8F1588A5A078806A93B06D4E8377B61D0C0BEE35E184B29D98BBB166F9D4393]}

These entries, related to the Samsung Weather apps WatchDataSync function, show attempts to synchronize data with a watch, even on a device that was supposedly clean. The long hexadecimal strings within the curly braces could represent encrypted data, command and control instructions, or unique identifiers used by the MDM. The A13 logs also revealed an unknown property element within the Galaxy Apps stores manifest file. This could indicate that the Galaxy Apps store APK file has been tampered with. This is highly suspicious and warrants further investigation. The persistence of this exploit across multiple devices, including a brand-new phone that I have never connected to the internet and only inserted a SIM card to activate it, is deeply troubling, said Alexi Minko, the researcher leading the investigation. It suggests that we are dealing with a highly sophisticated attack that may have compromised a critical part of the Samsung software supply chain or update mechanism. While the full extent of this potential vulnerability remains under investigation, the findings raise critical questions about the security of the Samsung ecosystem and the potential for malicious actors to exploit trusted applications, system services, and even connected wearable devices. The ability of this MDM to survive factory resets on some models and operate at such a fundamental level underscores the need for heightened vigilance and more robust security measures in the face of increasingly sophisticated mobile threats. Further research is urgently needed to determine the precise mechanism of the exploit, the identity of the malicious actor, and the potential impact on other Samsung devices. In the meantime, users are advised to exercise extreme caution when downloading apps, even from trusted sources like the Galaxy Apps store, and to keep their devices updated with the latest security patches. This investigation serves as a stark reminder of the evolving threat landscape and the need for constant vigilance in the face of increasingly sophisticated cyberattacks. It also highlights the potential risks associated with connected devices, emphasizing the need for manufacturers to implement robust security measures that extend beyond the phone itself to encompass the entire ecosystem of connected devices. The findings also raise alarms for users of Samsung smartwatches, who should be aware of the possibility that their devices could be compromised remotely. Users should enable two-factor authentication for their Samsung accounts and exercise caution when downloading apps from the Galaxy Apps store.