Abandoned Software is a Security Risk That Manufactures Must Take Responsibility For
A researcher found that Samsung abandoned its “S Suggest” app which could have opened a security vulnerability for millions of users.
S Suggest is an app and widget for Android that recommends other apps that Samsung had preinstalled on most of its phones – including flagship devices like the Galaxy S III – between 2012 and 2014. After failing to gain popularity, Samsung shut down the service in 2014 and later let the ssuggest.com domain expire, too. The app communicates with that domain to download new content report data about the user’s device.
Anyone could notice that ssuggest.com was available, register it and begin serving malicious content or recording device data.
Samsung gave a statement to Motherboard denying that this posed a security risk, stating that controlling the S Suggest domain “does not allow you to install malicious apps, it does not allow you to take control of users’ phones.”
However the S Suggest app’s permissions contradict that statement. The most dangerous of them was the ability to install apps and packages. It also had the ability to retrieve a list of the user’s running apps, view their network and Wi-Fi connections, and delete other apps.
There would have been plenty of other ways to use the ssuggest.com domain in harmful ways, too – such as replacing existing assets with tracking scripts or advertisements that could have been used to generate profit for criminal hackers.
Samsung should have avoided this vulnerability by keeping ownership of the domain or updating the app to disconnect it from the site (though that would expose some users who don’t update).
Luckily João Gouveia, the researcher who discovered the domain was available, has registered the domain to prevent it from being misused. This practice is known as “sinkholing” and refers to the act of discarded/deleting traffic sent to that addresses. This is the same technique used to defeat the “WannaCry” ransomware which attacked millions of unpatched Windows devices last month.
Gouveia recorded connections from more than 2.1 million unique devices in a 24 hour period – and those devices were frequently connecting to the ssuggest.com domain (a total of 620 million times).
So while Samsung is finished with its S Suggest service, millions of users are still using phones that came with the app pre-installed.
Thanks to Gouveia no harm has been done but this vulnerability highlights the role that manufacturers have in keeping devices secure.
Manufacturers’ Responsibility To Support The Software They Force on Users
Android handset manufacturers often struggle to differentiate themselves from their competitors.
Because Android is easy and affordable to license there are literally hundreds of choices that offer nearly identical features. Samsung, like many other major brands, creates additional (and often proprietary) features that can be unique selling points for its phones.
This is mostly copycat software that tries to compete with ‘big name’ features on other phones like Apple’s App Store or Google’s “Ok Google” voice commands. Brands like Samsung, LG, and HTC have all created similar functionality which usually goes unnoticed.
In order to spur adoption these apps usually come pre-installed and may be turned on by default. Manufacturers may even replace Android’s stock functionality with their own versions.
Samsung has an entire “S” line of products, including both hardware and software – which S Suggest was part of.
When they fail – as Samsung has with S Suggest – manufacturers are quick to abandon their software. They want to have their cake and eat it too – by pushing their proprietary software and then leaving the users with the risk of abandoned apps and unmaintained software.
This is not the first time that Samsung has prioritized marketing new features over security. Their Tizen operating system – intended to compete with Android – was heavily criticized earlier this year for its poor programming. Researcher Amihai Neiderman said “it may be the worst code [he’s] ever seen.”
Samsung is not the only company guilty of foisting unwanted software on its users or abandoning apps. The Android ecosystem is frequently criticized for “bloatware” – apps that come preinstalled on phones that are developed by the manufacturer or part of sponsorship deals – and for stopping critical OS updates only a few years after release.
Samsung’s S Suggest screw-up will only cost it a few days of bad press. But when manufacturers regularly abandon their software and devices it’s only a matter of time before a truly dangerous vulnerability occurs.