Is it a risk for the security of smartphones?
As reported by the American website Motherboard, Samsung has let a domain name expire linked to one of its former services, officially stopped since 2014. Yet, it continued to be active on the phones of users, and a researcher in security managed to seize the domain name.
Forgetting to renew a domain name can be expensive. This is more or less what happened to the 3D Secure payment system, but Samsung has also found itself trapped by an old expired domain name. As reported by the Motherboard, an independent security researcher discovered that the domain ssuggest.com, initially controlled by Samsung, was freely accessible.
S Suggest is a default application provided by Samsung on older models of Android phones. This allows to offer the user choices of applications with the guarantee that they will work on the device in question. A crapware as we see so much, but it was officially abandoned in 2014 according to Samsung, which no longer offers it to its new customers. But the application remains largely installed and functional on devices marketed by Samsung. And these different applications come check their updates on the domain name Ssuggest.com, now owned by security researcher João Gouveia.
The latter has indeed discovered that Samsung has not renewed the domain name ssuggest.com and managed to take control. As he explains to Motherboard, it is still widely used: within 24 hours, it has been able to see more than 620 million connections to the domain. Difficult to get an exact number of users affected, but it does mean that there are many.
What are the risks ? According to Samsung, these are negligible. In a reaction relayed by Motherboard, the Korean company explains that the takeover of this area “does not allow to install malicious applications and does not allow to take control of the phone. An interpretation disputed by security researchers, who point out that the application has the required permissions to install new applications on phones with it.
The application naturally relies on the abandoned domain name, which could be exploited in several attacks if it had fallen into the wrong hands. Fortunately, João Gouveia does not want to use it and is willing to return the domain name to Samsung if the Korean company asks for it.