Millions of Samsung phones are vulnerable to an Android and Google Pay attack

Millions of Samsung phones are vulnerable to an Android and Google Pay attack

Researchers from Tel-Aviv notified Samsung about the threat last year, with the necessary fixes released in August 2021. In order to stay safe, if your Android phone is showing its security patch level as July 2021 or below then you need to install the latest updates ASAP. Phone security: How hackers can obtain private information. Speaking about the researchers’ findings, a spokesperson for Samsung said: “Samsung takes the security of Galaxy devices seriously. We are constantly looking for ways to enhance the security of our products and welcome any input from research communities. The reported issue was acknowledged and has been addressed through security updates since August 2021. We recommend our users to keep their devices updated with the latest software to enjoy safe and convenient Galaxy mobile experiences.”

Israeli security experts revealed two real-world assaults that may take advantage of the issue. Researchers were able to obtain very sensitive information from Samsung devices that were intended to be safeguarded at the hardware level. Aside from critical payment system data, researchers were also able to overcome FIDO2 authentication to retrieve passwords. Fortunately, despite the risk this weakness poses, malicious actors have not discovered it in the years it has existed.


  • “A properly designed and implemented encryption scheme relies on the keys and remains secure even if an attacker knows the math and how it was coded, as long as they don’t have the key.”

  • After the flaw was discovered one security expert described the news as “embarrassingly bad” for Samsung, while another said the South Korean tech giant had committed a “cardinal sin”. Matthew Green, who is the associate professor of computer science at the Johns Hopkins Information Security Institute, on Twitter said: “Ugh god. Serious flaws in the way Samsung phones encrypt key material in TrustZone and it’s embarrassingly bad. They used a single key and allowed IV re-use.” Mike Parkin, from Vulcan Cyber, said: “It is by nature complex and the number of people who can do proper analysis, true experts in the field, is limited.