DJ Koh, president of mobile communications at Samsung Electronics Co., speaks during the Samsung... [+] Unpacked launch event in San Francisco, California, U.S. on Wednesday, Feb. 20, 2019.
© 2019 Bloomberg Finance LPMore than 10 million users of Samsung smartphones have done the right thing in looking to manage firmware updates that improve and secure the running of their devices. Unfortunately, they may well have done so in such a way that has the potential to impact device security negatively as well as cost them money for installing updates that should be free of charge.
What has gone wrong for 10 million Samsung users?
Aleksejs Kuprins, a malware analyst at CSIS Security Group, has revealed how an app called "Updates for Samsung" has been installed by more than 10 million users who have downloaded it from the official Google Play app store. As first reported by ZDNet, the app "promises firmware updates, but, in reality, redirects users to an ad-filled website and charges for firmware downloads."
This is particularly concerning not only because, as I write this morning, the app is still available for download at Google Play but also as it undermines the message that so many of us try to get across about the importance of keeping up to date with the latest updates for your smartphones in order to stay one step ahead of those who would do you harm. Installing firmware updates is recommended not only to ensure your device is running with all the latest features and at peak efficiency, but also for reasons of security. Anything that devalues that update message also weakens the security stance of your smartphone, even if there is no inherent malicious intent from the security perspective by the app developers.
How did this happen?
According to Kuprins, the fact that the app was named "Updates for Samsung" and made available through the official app store for Android users, which is often but wrongly assumed to be a depository of perfectly safe apps only, was the key to its success. "It would be wrong to judge people for mistakenly going to the official application store for the firmware updates after buying a new Android device," Kuprins said, "vendors frequently bundle their Android OS builds with an intimidating amount of software, and it can easily get confusing." Hardly surprising that new and non-technical users of a Samsung device might look to install an app that promises to make what can seem like a daunting task easy and describes its functionality thus: "Download any OS update for any Samsung device ever released, read the latest Android tech news and access the latest firmware upgrades, Android version updates, Android tips, tricks, guides & how-to tutorials to check if you can upgrade or update your device to a new version of the Android OS."
What did Kuprins find out about the app?
While the app does, indeed, enable the user to search for firmware specific to their device, Kuprins found it to be "stuffed with advertisement frameworks," and distributing Samsung firmware as part of a paid subscription scheme. The app developers are not, Kuprins said, officially affiliated with Samsung and charging an annual fee of $34.99 to access what is actually a free of charge update process. Then there's also the fact that the payment process itself doesn't take place via the official, and secure, Google Play subscriptions method but instead asks for credit card details sent to another website.
"There is a shady peculiarity about these firmware downloads," Kuprins warned, "it does allow registered users to download firmware for free; however, the download rate is limited to 56 KBps." This means a typical firmware download would take at least 4 hours instead of just minutes if downloaded and installed directly on the handset following the official Samsung update notifications. Kuprins also noted that free downloads almost always failed to complete, "motivating the user to pay for fast downloads through paid premium packages."
What happens now?
The researcher concerned has contacted Google to report the application and request it be removed from the Google Play store. However, at the time of writing, it remains available for download. I have contacted Google for comment, as well as the developers of the app itself, and will update this article if and when I hear back from either. I am particularly concerned as to how such an app, charging for what is an essential, and totally free, system updating process managed to be approved by Google in the first place.
What should you do?
While not being malicious as such, the application doesn't appear to be what it seems as both many user reviews and the research by Kuprins would suggest. My advice would be not to download apps such as this, but instead follow Samsung's procedures for downloading updates which will be shown on your smartphone as a notification and walk you through the simple, speedy and secure process for doing so. If you want to check on the status of your device firmware, simply navigate to the "Software Update" option in the settings menu and select "Download and install" to check if you are running the latest updates; if not then the download will start and the update can be completed in a matter of minutes. As Kuprins said, doing so means that the "updates are guaranteed to come directly from the vendor," as well as being free of charge.
--
Updated July 6
A spokesperson for the developer of the Updates for Samsung app, a company called Updato, has now contacted me with regards to this story.
"I think the original article misunderstood the purpose of the Updates for Samsung application," the Updato spokesperson says, adding "but we understand how the confusion was created and that it is on us to properly correct."
Updato says that there "is a community of people (techies) who like to mod their phones with different versions of Android firmware from different release dates, versions, carriers and countries around the globe." Finding these is difficult, the spokesperson insists, and so the Updates for Samsung app "aggregates them for the convenience of our audience." The Updato database "allows people to easily search for firmware in any location for any version for any device," the spokesperson insists, continuing "saving them many hours of potential searches and uncertainty of the origin or safety of the file."
Updato insists that the app was "never intended for the typical Android phone owner to update their phones with the standard, latest firmware." If you're simply looking to upgrade your device, Updato recommends using Samsung Kies, the Key Intuitive Easy System as it used to be known, or by way of the over the air (OTA) upgrades on the device itself. "We specifically state this on our download pages," the spokesperson says, and included a screenshot that urges caution and advises people should only use Updato if they know what they are doing as well as pointing to Samsung Kies and including a disclaimer that the company is not responsible for any damage caused by the information or files on the Updato site.
Finally, I asked Updato why the Updates for Samsung app was not using the official subscription payment methodology through Google Play itself but instead redirecting to another payment site? Here's what the spokesperson told me:
"Regarding the official payment, that was an honest ignorance on our part which we will remedy immediately. We have removed the app and will beupdating to: