In August 2023, Samsung patched a security vulnerability—CVE-2023-30684—that posed a serious risk to user privacy and device integrity. If you're using a Samsung device manufactured before the August 2023 security release, your phone could have let any local app answer your incoming calls without the necessary permissions. Let's break down how this worked, show some technical details, and see how attackers could have misused it.
The bug is an improper access control in Samsung's Telecom framework.
- An attacker could exploit this by calling the acceptRingingCall() API without holding the required Android permissions.
Normally, Android restricts who can answer calls programmatically, to prevent rogue apps from secretly picking up calls. But due to this bug, malicious apps could side-step these protections—posing a direct privacy risk.
Technical Details: The acceptRingingCall() API
Android's TelecomManager provides a method called acceptRingingCall(). Only privileged apps should be able to use it.
Here's how a normal (secure) implementation looks in Java
// Only system-privileged apps can run this
TelecomManager telecomManager =
(TelecomManager) context.getSystemService(Context.TELECOM_SERVICE);
if (ContextCompat.checkSelfPermission(context, Manifest.permission.ANSWER_PHONE_CALLS) == PackageManager.PERMISSION_GRANTED) {
telecomManager.acceptRingingCall();
}
But on Samsung devices before the patch, this API didn't properly check permissions, making it callable by any local app—even without android.permission.ANSWER_PHONE_CALLS.
How Could Attackers Exploit This?
Imagine you download a malicious app or visit a compromised website that quietly installs a local payload. The attacker could:
The app secretly calls acceptRingingCall().
3. The call gets answered without your knowledge, and the attacker could then listen in or trigger additional actions.
Here’s a *simplified* PoC that could abuse the bug (do not use this maliciously)
TelecomManager telecomManager =
(TelecomManager) context.getSystemService(Context.TELECOM_SERVICE);
try {
// Normally, this would throw a SecurityException without permission
telecomManager.acceptRingingCall();
} catch (SecurityException e) {
Log.e("CVE-2023-30684", "Permission denied (device is patched)");
}
On an unpatched Samsung device, this code would silently answer the call. On a fixed device, it throws SecurityException.
Which Devices Were Affected?
- Samsung Galaxy phones and tablets released before August 2023 and running Samsung's customized Android.
Devices with the below software versions should update:
Reference: Samsung Mobile Security Updates
Always review app permissions.
Although this specific bug abused a missing check, it's good practice to avoid installing unknown apps.
Official References
- Samsung Security Bulletin: CVE-2023-30684
- NIST NVD - CVE-2023-30684
Conclusion
CVE-2023-30684 is an example of how minor implementation errors can have serious privacy effects, even on modern, regularly-updated smartphones. If you're using a Samsung phone, make sure your device is updated past August 2023.
For security researchers, this case underlines the importance of regularly testing device-specific APIs for permission leaks or improper access control.
*Stay safe—keep your software updated!*
Further Reading:
- Android's TelecomManager Documentation)
- Samsung Mobile Security
Timeline
Published on: 08/10/2023 02:15:00 UTC
Last modified on: 08/14/2023 16:11:00 UTC