I would like to inform you that the details of the vulnerability in
built-in system app of Samsung Galaxy S3/S4 (assigned as CVE-2013-4763
and CVE-2013-4764) are now disclosed to public.
In Samsung Galaxy S3/S4, a pre-loaded app, i.e.,
sCloudBackupProvider.apk, is used to provide backup functionality for
the users, and it unintentially exposes several unprotected
components. By exploiting these unprotected components, an
unprivileged app can trigger a so-called restore operation to write
SMS messages back to the standard SMS database file (mmssms.db) used
by the system messaging app, i.e., SecMms.apk. As a result, a smishing
attack can effectively create and inject arbitrary (fake) SMS text
messages. Similarly, fake MMS messages and call logs are also
possible. This vulnerability has been disclosed in CVE-2013-4763.
Also, these components can be sequentially triggered in a specific
order to create arbitrary SMS content, inject to system-wide SMS
database, and then trigger the built-in SMS-sending behavior (to
arbitrary destination). This vulnerability has been disclosed in
QIHU Inc. discovered these vulnerability and informed Samsung Corp. in
June 10, 2013. Samsung confirmed the vulerability and is now preparing
an OTA update. As a temporary workaround, disable the
sCloudBackupProvider.apk app would help block known attack vectors.
Details of CVE-2013-4763 and CVE-2013-4764 can be also found in QIHU
Inc.'s official site:
Z.X. from QIHU Inc.