Google’s Hacking Division Just Called Out Samsung. Here’s Why
A team of Google security researchers found “11 high-impact security issues” in one of Samsung’s most popular smartphones as part of a weeklong hacking contest.
Google’s Project Zero team recently published a deep dive into security on Samsung’s Galaxy Edge S6 and found that the smartphone, running Google’s Android operating system, was rife with security flaws.
Some of the bugs they discovered appear to be serious, including an exploit found in the Samsung email client that could lead to a user’s emails being forwarded to another account.
Another flaw was found that could allow an attacker to write system files to previously secure locations hiding in a process that unzips files.
Luckily, Samsung was told about the issues before the blog post was published, and it has already fixed eight of them. The remaining three fixes are coming in an update this month.
The newly discovered exploits are another example of Google’s hacking division’s adversarial approach to security.
Google’s Project Zero is a group of Google security researchers formed in July 2014 tasked with the mission to find and fix “zero-day” bugs, or serious exploits that haven’t been officially found yet. Essentially, it spends its time trying to hack into the systems people use daily.
When the team finds a bug, it alerts the company involved and gives it 90 days to fix the problem. If no progress is made, Project Zero will publish what it discovered on its blog. The process has been called an “ultimatum” because companies like Apple and Microsoft don’t always appreciate Google researchers trying to break their products.
The team has a wide-ranging mandate, and Google even allows them to hack devices made by Google partners such as Samsung. The team also recently took a security-focused look at Google’s own Nexus devices and even challenged official Google statements on Android security.
Project Zero’s take-no-prisoners approach can ruffle feathers, like when it published details of a Windows bug before Microsoft had a chance to fix it. Project Zero maintained it had given Microsoft 90 days to fix it.
In fact, in the case of Android hardware partners, or as Google calls them, OEMs (original equipment manufacturers), these kind of security checks are even more important. From the blog post:
“OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers.”
Translation: Google’s Android security may have problems of its own, but when hardware makers start adding code, things can get decidedly dicey. Making the situation worse, Google can’t push security updates directly to Samsung’s phones.
In the case of Samsung, it appears to have received Project Zero’s message and taken immediate steps to address its issues, which is how the system is supposed to work. But it can be argued that Samsung didn’t have a choice but to fix the bugs on Google’s schedule, raising the question whether Google published these exploits as a partner to Samsung, or as a competitor that might want to take more control as to when Android updates are released.
“It is promising that the highest severity issues were fixed and updated on-device in a reasonable time frame,” Google researcher Natalie Silvanovich wrote.
Sure, Google’s team did hack one of Samsung’s most popular phones on the market this fall, and it may be trying to hack the computer system you’re using now. But it’s doing it to keep you safe.
Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.
For more on Android’s past efforts to beef up security, watch this Fortune video: