CVE-2022-39884 - How a Simple Flaw in IImsService Exposed Call Info on Samsung Devices

In 2022, Samsung quietly patched an important security flaw in their custom IImsService—the backend dealing with advanced calling features on many Galaxy devices. Known as CVE-2022-39884, this bug was an *improper access control* vulnerability. In plain English: it let a local attacker (like a rogue app on your phone) peek at private call information, bypassing the usual Android permissions.

This post breaks down the vulnerability, gives technical context, shares code snippets, links out to first-party references, and explores how an attacker could have exploited this bug. If you’re interested in real-world Android security, you’ll want to read on!

Vulnerability Overview

- CVE: CVE-2022-39884

Severity: High (Local Privilege Escalation)

- Fixed in: SMR Nov-2022 Release 1
- Impact: Any Android app running on the device could read sensitive call data, *without* user consent.

What Is IImsService?

IImsService manages *VoLTE* (Voice over LTE), *WiFi Calling*, and other network services that modern Samsung phones rely on. It operates as a background service, usually with powerful permissions and access to your private call details.

Why Does Improper Access Control Matter?

On Android, different apps have different permissions. Secure design says: only apps the user approved can see your calls or contacts! Improper access control means an app can tap into hidden APIs or data never meant for it.

See call logs in real-time,

- Know when you’re making/receiving calls,

The Flaw

The IImsService binder service exposed privileged call information using Interprocess Communication (IPC). Normally, system services check the caller’s identity (UID) *and* permissions—but in this case, there was no proper check. Any local app could get a binder handle to IImsService and query sensitive data.

Let’s look at a simplified pseudocode representation

// Vulnerable IImsService Method
public CallInfo getCallInfo(int callId) {
    // Problem: No caller permission check here!
    return internalCallMap.get(callId);
}

In secure code, you’d expect

public CallInfo getCallInfo(int callId) {
    if (!hasRequiredPermission(Binder.getCallingUid())) {
        throw new SecurityException("Permission Denied");
    }
    return internalCallMap.get(callId);
}

But in certain release builds prior to November 2022, that check was missing.

Triggering the Exploit

Suppose you made a simple Android app. With a bit of AIDL (Android Interface Definition Language) code, your malicious app could connect to the IImsService’s exposed binder—even *without* READ_CALL_LOG or other protected permissions!

Sample Proof-of-Concept (POC)

// Connect to the IImsService binder exposed by Samsung firmware
IBinder binder = ServiceManager.getService("imms");
IImsService imms = IImsService.Stub.asInterface(binder);

// Query call info. This shouldn't work if permissions are enforced!
CallInfo info = imms.getCallInfo(1);
Log.d("POC", "Leaked call info: " + info.toString());

The details would depend on exact API implementation (which Samsung doesn’t publish publicly), but this logic holds: the lack of permissions check means your app can get “CallInfo” about any ongoing phone call.

Exploit Impact

- No installation of a malicious APK required—could be sideloaded or abused by a rogue installed app.

Real-World Threats

Adware or spyware could leverage this bug to silently log your private calls, build analytics on your habits, or even intercept sensitive business calls. On devices running older firmware, attackers had a real window to spy with little effort.

Patch & Mitigation

Samsung fixed this in the Nov-2022 Security Maintenance Release (SMR). If your device is on that update or later, you’re safe.

- Patch notes: Samsung SMR Nov-2022
- Official Notice: Samsung Mobile Security

You can confirm your security patch level under *Settings* > *About phone* > *Software information*.

References

- CVE-2022-39884 MITRE entry
- Samsung Security Blog, November 2022
- Android Binder, Security Best Practices

Final Word

CVE-2022-39884 is a classic lesson: Always enforce permissions in your system services. The tiniest slip can allow local, untrusted apps to access private information on millions of phones. Thankfully, Samsung moved quickly—but any delay in installing updates left users exposed.

Tip: *Always keep your device up to date!*

If you found this breakdown useful, share or leave your questions below. And as always—keep learning, keep hacking (ethically)!

Timeline

Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 15:22:00 UTC