Over three years of security research into Samsung’s preinstalled system applications, Oversecured identified 180 vulnerabilities — the largest single mobile security disclosure in history. All issues were responsibly disclosed and patched by Samsung.

The problem

The unmapped attack surface

When security researchers examine mobile threats, attention typically focuses on malicious apps or vulnerabilities in the Android core. The vendor customization layer — proprietary software manufacturers add to differentiate their devices — receives far less scrutiny.

Preinstalled system applications run with system-level privileges (UID 1000), cannot be removed by users, and operate outside Google Play Protect. A single vulnerability affects hundreds of millions of devices globally through one vendor’s distribution channel.

Unlike third-party applications subject to Google Play Store vetting, preinstalled vendor apps operate with elevated system privileges, cannot be uninstalled by users, and receive minimal scrutiny from the security community.

The Android ecosystem runs on two parallel security systems. AOSP core receives intensive scrutiny from Google and the open-source community. Vendor modifications — the custom layer every manufacturer adds — receive almost none.

Preinstalled app threat properties

Property	Preinstalled app characteristics
Privilege level	UID 1000 (System)
User removable	No — requires rooting
Persists after factory reset	Yes
Global device coverage	20–25% market share
Trusted by security software	Yes
All reported issues patched	✓ 100%

By the numbers

Vulnerability categories

The 180 vulnerabilities span six primary exploit categories. Each class represents a systemic architectural weakness — not a one-off coding mistake.

Selected findings

Selected critical findings

Complete attack chains assembled exclusively from preinstalled app vulnerabilities. Each was responsibly disclosed and patched by Samsung.

Finding 01 · FactoryCamera · com.sec.factory.camera

Silent Camera and Microphone Access

A debug app shipped on production devices with system privileges. An unprotected broadcast receiver accepts test commands. Any app can trigger it to start recording video — no permission prompt, no camera indicator, video saved to accessible storage.

Finding 02 · SmartThings · com.samsung.android.oneconnect

Remote Samsung Account Takeover

A deep link (sendable via SMS or email) triggers the app to load an attacker-controlled URL in an embedded WebView. JavaScript interfaces expose the user’s Samsung Account tokens to any loaded JS code via McsBridge.getAuthInfo(). The attack required only a single click.

Finding 03 · WifiServiceImpl · Samsung Android Framework

Network Traffic Hijacking via DNS Manipulation

Samsung’s custom Wi-Fi stack exposed semAddPublicDnsAddr() — accessible to any app with zero permissions. An attacker injects a malicious DNS server, redirecting all DNS queries from all apps on the device. No user notification of any kind.

Finding 04 · DualOutFocusViewer · com.samsung.android.app.dofviewer

Arbitrary Code Execution via Crafted Image

A malicious app delivers a specially crafted JPEG. When the victim opens it, the app copies attacker-controlled native libraries from the SD card and loads them via System.load() without signature verification. Code executes with zero permissions required.

Finding 05 · DeX for PC · com.sec.android.app.dexonpc

Unauthorized Screen Capture

The screen mirroring discovery service was exported without permissions. A malicious app on the same Wi-Fi network calls startScan(), discovers the attacker’s laptop, and calls connect() — the device’s entire screen streams silently without user interaction.

Finding 06 · ThemeManager · com.samsung.android.themecenter

Arbitrary File Write with System Privileges

The ThemeManager app, running with system privileges, contained a path traversal vulnerability. The app allowed writing arbitrary files to the file system without proper path validation, enabling attackers to overwrite files in protected system directories.

Why this matters

The economics of mobile exploitation

Preinstalled app vulnerabilities provide comparable capabilities at near-zero operational cost, affecting 20-25% of the global smartphone market share.

Systemic risk assessment

Four repeating patterns

These weren’t random bugs. The same architectural weaknesses appeared across Samsung and Xiaomi devices and across multiple research cycles. The pattern is systemic.

Forgotten Debug Interfaces

Multiple vulnerabilities stemmed from debug and testing applications (FactoryCamera, Configuration Update) that shipped on production devices with system privileges and no access controls.

Unsafe Inter-Process Communication

Exported services and broadcast receivers frequently lacked permission checks, allowing privilege escalation from unprivileged apps.

Path Traversal in System Apps

Multiple instances of unsafe file path handling in system-privileged applications enabled arbitrary file access.

Insecure WebView Configurations

JavaScript interfaces exposed sensitive APIs to untrusted web content loaded via deep links.

Research timeline

Three years of coordinated disclosure

Every vulnerability was responsibly disclosed to Samsung. Samsung patched all reported issues and compensated the research team with over $200,000 in bug bounty rewards.

A sophisticated attacker doesn't need a million-dollar zero-day when a forgotten debug app ships on 500 million devices. These vulnerabilities offer persistent system-level access, silent camera control, DNS hijacking, and they're already trusted by the OS. For cyber-espionage, that's perfect: persistent, privileged, invisible, and impossible to remove.

User protection status

Are you protected?

All 180 vulnerabilities were patched through regular Samsung security updates distributed between 2022 and 2025. Users with the current Android Security Patch Level are protected from all reported vulnerabilities.

✓ All 180 vulnerabilities patched through regular Samsung security updates distributed between 2022 and 2025.

Coverage	Status
Samsung devices	All patched ✓
Distribution timeline	2022–2025 security updates
Devices affected (pre-patch)	Hundreds of millions
Xiaomi companion research	20+ vulnerabilities identified

Don’t wait for a disclosure

The same gaps exist in your apps

The vulnerability patterns found in Samsung preinstalled apps - unsafe IPC, insecure WebViews, path traversal in privileged components - appear in mobile banking, fintech, and enterprise apps every day. Oversecured finds them before attackers do. Start with a free scan.