back to article Why so shy, Samsung? Weird Find my Phone push notification did not only affect Galaxy mobes

Concern is growing over the security of Samsung's Android infrastructure after readers from around the world told The Register that yesterday's Find my Mobile push notification affected them – including on devices where the offending app was disabled. Readers from as far afield as New Zealand, the US, Scandinavia and even …

  1. IGotOut Silver badge
    Facepalm

    "I'm just letting you know this message appeared on my Norwegian Samsung XCover 4,"....

    That wouldn't happen to be the Samsung GALAXY Xcover 4 would it?

    1. MiguelC Silver badge

      According to GSMArena, the last phone they made that wasn't a Galaxy was the Z4 in 2017

      (even their watches and tablets are Galaxy branded)

      1. Captain Scarlet Silver badge

        O2 still sell them:

        Samsung Xcover 4S - P/N 1SAX4SBN

  2. Pascal Monett Silver badge

    So a disabled app can receive and display push notifications

    Just another demonstration of how little you actually "control" your mobile phone.

    All the big names are doing it, it's just this time it's Samsung that got caught. Somebody fat-fingered a config file and notifications were sent when they shouldn't have been.

    It'll be interesting watching how Samsung is going to try to weasel its way out of this one.

    1. hakuli

      Re: So a disabled app can receive and display push notifications

      I'm not sure whether the hacks at Vulture Central have used some third-party software or similar to disable the Find My Mobile app, but it is a "system app" which I don't think can be disabled through the regular Settings... (based on an S9, I can force stop it but the Disable option is unavailable... YMMV).

      Don't know whether there's some option, once you've signed in with a Samsung Account, to say "I don't want Find My Mobile"... but since I have no intention of ever registering for one, I don't know...

      (Not even the manky looking carrots that are being able to make the Bixby button do something useful, or having Samsung's bloatware automatically update has tempted me that way...)

      1. JimboSmith Silver badge

        Re: So a disabled app can receive and display push notifications

        I'm not sure whether the hacks at Vulture Central have used some third-party software or similar to disable the Find My Mobile app, but it is a "system app" which I don't think can be disabled through the regular Settings... (based on an S9, I can force stop it but the Disable option is unavailable... YMMV).

        Don't know whether there's some option, once you've signed in with a Samsung Account, to say "I don't want Find My Mobile"... but since I have no intention of ever registering for one, I don't know...

        I deleted the app from my Xcover 4 after this little incident. Not sure if it's a system app as it no longer exists on my phone to check. I don't have a Samsung account either for that matter. Maybe you have to buy a top of the range phone for that app to be undeletable.

    2. Anonymous Coward
      Anonymous Coward

      Re: So a disabled app can receive and display push notifications

      You have a sim im the phone? You think the sim does not have compute and function abilities?

      You think the sim is not a tiny computer?

      Defcon has some videos for you.

      1. robidy Silver badge

        Re: So a disabled app can receive and display push notifications

        Do share...

      2. rileyg

        Re: So a disabled app can receive and display push notifications

        Not just DEFCON, but also any contact or contactless payment card. They all run on smartcards, with OS, RAM, flash memory and CPU. They're powerful little things for something you can wirelessly power (think implants... that's my field).

        They don't generally have ints but the main work done on smartcards is cryptography - byte arrays and the like see heavy use in JavaCard.

        SIMs directly communicate with the baseband too - the phone doesn't see or know about communication and remote push of applets and the like via a remote APDU interface.

      3. Michael Wojcik Silver badge

        Re: So a disabled app can receive and display push notifications

        Yes, the abysmal security of SIMs is well-documented - the SimJacker vulnerability and other issues with the S@T Browser were big news last year, and LaForge's presentation from 36C3 goes into some other weaknesses.

        But what does that have to do with the post you replied to? It was about software on the main device, which is a different part of the attack surface.

    3. teknopaul Silver badge

      Re: So a disabled app can receive and display push notifications

      Is that how notifications work? I thought notification delivery was Google and Apple's job and they wake the app to handle it.

      Otherwise all apps would be polling. If you try that you app gets accused of being a battery drain.

  3. mikus

    Got that on my old S8.

    I woke up and had this as well, wondering if their service had been hacked, or just me. US here.

  4. Anonymous Coward
    Anonymous Coward

    Disabled sadly does not mean removed...

    This was one of my main reasons for leaving the Android ecosystem. Even on the Nexus type phones there was too much squirrely nonsense about zombie process, locked applications, and hidden surprises.

    I'm pretty sure this is hitting the Reg close to home to, as they have received at least one high profile leak of classified material.

    Hopefully the "Disabled-not-removed" code wasn't sending location data, and just listening.

    1. Spanners Silver badge
      Meh

      Re: Disabled sadly does not mean removed...

      This was one of my main reasons for leaving the Android ecosystem.

      I would think about it but there doesn't seem to be an alternative.

      My first workphone was a Blackberry. They had a possible something in the works.

      Nokia were working on something when MS destroyed them.

      I thought the Windows Phone looked promising.

      The various Firefox and other Linux variants seem to have vanished.

      The only possible future alternative may be Huawei and that depends on Trump staying in office indefinitely abd I doubt many want that...

    2. Anonymous Coward
      Anonymous Coward

      Re: Disabled sadly does not mean removed...

      But it is possible to load a third party image onto a number of phones and run AOSP without Google services and see all the source code for it.

      This isn't possible with most other handsets.

  5. Anonymous Coward
    Anonymous Coward

    Disabled sadly does not mean removed...

    This was one of my main reasons for leaving the Android ecosystem. Even on the Nexus type phones there was too much squirrely nonsense about zombie process, locked applications, and hidden surprises.

    Not that any of the other options are paradise. Allowing Google to suppress and control the phone OS market is a tragic mistake. No one other than Apple can survive against a free OS backed by Google, and no new challengers can enter the market. Hopefully the EU will lead the way on an antitrust suit.

    I'm pretty sure this is hitting the Reg close to home to, as they have received at least one high profile leak of classified material.

    Hopefully the "Disabled-not-removed" code wasn't sending location data, and was just listening.

    1. teknopaul Silver badge

      Re: Disabled sadly does not mean removed...

      I think the failed code will be serverside not on your handset. Notifications work by pushing a message to google. Google map from the apps id to your phone and google pushes the notification to the phone. Wrong way for location data to be involved.

      It can be pull, given stories of disabled apps receiving the message its seems unlikely.

  6. Pirate Dave
    Pirate

    Probably a test by our Alien Overlords to make sure they still have access to all the Samsung phones. Hell, even the Alien Overlords don't trust Samsung to not fuck up the phones with shitty updates.

    There's likely a big attack coming soon. From space. But today's Friday, so time for beer.

    Edited to add: what makes it weirder (or more understandable) - I just checked and my Galaxy S8 now says it has System Update 32 to install.

  7. Nick Ryan Silver badge

    It's possible to remove most of the Samsung junkware from a phone by removing it from the current user profile. The software is still on the system, but it is not running for the user. The same goes for other vendor's junkware/shovelware of course. This does require enabling USB debugging and the ADB tools but is pretty easy, if rather beyond the average user. Importantly it's not rooting the device therefore applications that depend on non-rooted devices work fine.

    Doing so made a previous Samsung phone of mine operate very smoothly and have enough battery life for a day plus compared to the jittering half day battery experience that it came with out of the box. Replacing the camera app with Open Camera completed the transformation from a really disppointing and mediocre device to one that worked quite nicely.

    Needless to say, I dropped the phone on the floor shattering the display a week or so after doing this...

    1. a pressbutton Silver badge

      Can you reassign the bixby button to something useful?

  8. JohnFen Silver badge

    I almost feel left out

    My Galaxy didn't get one of these! Probably because I've replaced the ROM with a reasonable one...

    1. Uncle Slacky Silver badge

      Re: I almost feel left out

      Nothing here either on my Samsung Ch@t 335...

    2. Stevie Silver badge

      Re: I almost feel left out

      Never mind. Reminisce about the bad old days.

  9. Benzyl

    "Samsung-specific phone locator app" it found my 2013 Nexus 7 just fine and caused it to play a rather jolly location alert sound, at least I found out something new that day.

    1. CrazyOldCatMan Silver badge

      2013 Nexus 7

      I'm surprised that it's still working.. mine got slower and slower and, even with a custom ROM on it, eventually got so slow as to be unusable.

  10. RuffianXion

    WTF?

    I didn't realise until now that, although I had disabled (or thought I had) all location tracking on my phone, that I was still being tracked via my gmail account - not anymore though.

    1. sabroni Silver badge

      Re: not anymore though.

      You've pulled the battery out?

      1. Anonymous Coward
        Anonymous Coward

        @sabroni - Re: not anymore though.

        Not using Internet on my phone goes a long way and turning off any notification (that can be tuned off) also helps. Just phone calls, SMS and camera that's all I need and use. I regularly delete without reading any SMS that does not come from someone I know and I don't have any account for email or social media on my phone. Yes, they can still have some data about my location but there's no way they can show me ads.

        1. sabroni Silver badge

          Re: @sabroni - not anymore though.

          Op claimed they were no longer location tracked by their Gmail account. AC not adding anything that explains how logging in to Gmail has been prevented from obtaining a location.

  11. sabroni Silver badge
    WTF?

    seriously?

    I'm more concerned about the back end that can retrieve my information and put it on someone else's account page! Who wrote that? And who reviewed it? Shoddy work.

    1. Graham Dawson Silver badge

      Re: seriously?

      More likely it's a caching issue at the public-facing part of their network, rather than a "back end" retrieving your information on someone else's page. Cache problems are surprisingly easy to generate. Steam found that one out the hard way a few years back.

      1. sabroni Silver badge

        Re: seriously?

        If you're writing a web system and don't understand public caches then your work is shoddy. If you're reviewing a web system and don't understand that public caches can leak info then your work is shoddy.

        1. Anonymous Coward
          Anonymous Coward

          Re: seriously?

          If you refer to it as a "public cache" then you don't really know what you are talking about.

  12. John Brown (no body) Silver badge

    "limited number of Galaxy devices"

    Well, maybe they meant it was "limited" to every Galaxy branded device ever produced?

    "Limited" is such a wonderfully vague word that has the effect of sounding reassuring to the vast majority of people and rarely means anything useful, especially in a PR context.

    1. Anonymous Coward
      Anonymous Coward

      Re: "limited number of Galaxy devices"

      Nowadays "Limited"usually means "able to get up to dodgy stuff and walk away when the company goes bust".

  13. Anonymous Coward
    Anonymous Coward

    S10e in Austria

    Same notification, never even setup the app. Assumed it was just a glitch, but perhaps it was someone accidentally sending a test notification globally instead of just to a test build. In fairness, if it was easy to 'disable' an app of this sort, it might pose some rather big problems in cases of theft - but I'd definitely prefer Samsung to explain exactly what happened rather than leaving the community to FUD itself into a panic.

    1. DCdave

      Re: S10e in Austria

      Same here with a German S10e. I don't have a Samsung Account set up on the device, so whilst they didn't have my details to display on someone else's profile page, they still had control of my phone. I (theoretically) use the "find my phone" service of my selected antivirus provider, not the built-in one. Prior to this I assumed the built-in one would be inactive, but now I realise it's not only active, but there seems no way to fully disable it.

  14. Blueslsd

    On my P20 pro

    Not even Samsung!!

  15. DarrenE

    I got this alert on my Huawei. I've also got a galaxy A3 and have the same Google account on both phones.

  16. Anonymous Coward
    Anonymous Coward

    It's the AI

    "my birth cry will be the sound of every phone on this planet ringing in unison." - Lawnmower Man

  17. Shaun Blagdon

    I got the notification on my OnePlus 6T... not sure if they share infrastructure but that's really wierd.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020