Systematic Vulnerabilities in Apple AirDrop and Android Quick Share
Researchers from CISPA have identified critical, zero-click vulnerabilities in proximity-based file-transfer protocols, specifically Apple AirDrop and Google/Samsung Quick Share. Utilizing the custom "AIRFUZZ" protocol-aware fuzzer, the study uncovered systemic flaws in how privileged daemons process unauthenticated, complex serialized content such as Binary Plists, CPIO archives, and Protocol Buffers. Exploitation vectors include Swift-based Denial of Service (DoS), XML recursion, and memory corruption via Heap Use-After-Free (UAF). Most significantly, the research demonstrated a complete bypass of Device-to-Device (D2D) encryption in Samsung Quick Share. These vulnerabilities affect over 5 billion devices globally. All affected vendors—Apple, Google, and Samsung—have released patches to remediate these flaws.
Samsung Knox: Hypervisor-Level Kernel Protection Bypass CVE-2026-20971
CVE-2026-20971 is a critical vulnerability in the Samsung Knox security framework that facilitates a hypervisor-level bypass by exploiting a race condition within the kernel's process integrity validation mechanism. By leveraging this race condition primitive, an attacker can circumvent the Real-time Kernel Protection (RKP) provided by the Knox hypervisor. This flaw enables a transition from a kernel-level exploit to a complete hypervisor breach, resulting in Local Privilege Escalation (LPE) to a high-privilege or system context. Such an exploit effectively neutralizes Samsung's hardware-backed defense-in-depth strategy, allowing for the deployment of persistent rootkits capable of evading real-time integrity monitoring on enterprise-managed mobile devices.
Exploitation of Tizen, WebOS, and Android TV for Residential Proxy Botnets
Threat actors and commercial entities are leveraging Smart TV ecosystems—specifically Samsung Tizen, LG WebOS, and Android TV—to establish massive residential proxy networks. Attackers exploit OS-level vulnerabilities in Tizen (versions through 9.0) and WebOS, alongside exposed Android Debug Bridge (ADB) ports on Android TV devices, to deploy botnets like Kimwolf. Concurrently, "gray-market" commercial actors embed SDKs (e.g., Bright Data/Luminati) within free consumer applications to hijack outbound bandwidth. This dual-vector approach enables large-scale web scraping, unauthorized monetization of consumer IP reputation, and significant privacy erosion by transforming always-on residential devices into high-bandwidth proxy exit nodes.