“Unfortunately, the API used to unzip the file does not verify the file path, so it can be written in unexpected locations,” explained Project Zero member Natalie Silvanovich. What makes it dangerous is that the “file-write vulnerability can be triggered by browsing to a website without any user interaction”, Google notes in the Project Zero bug database. The type of attack, otherwise known as a drive-by download, is commonly employed against desktop browsers. Brand and his team members had informed Samsung about similar vulnerabilities in other Samsung smartphones and publicly disclosed the same in July. The researchers used Verizon Samsung Galaxy S6 Edge model No.SM-G925V to test the attack. According to the researchers the test smartphone ran a version of Android 5.0 Lollipop which Verizon had released in early June. Samsung has addressed the WifiHs20UtilityService bug in S6 Edge through an update of SELinux. But Google researchers said that other Samsung device models may also be running WifiHs20UtilityService. Another critical bug found out by the researchers affects Samsung’s email client and is very easy to exploit, according to Google. A service used to support quick replies lacked authentication, allowing an unprivileged application to potentially gain access to email content. “An unprivileged application can send a series of intents that causes the user’s emails to be forwarded to another account. It is a very noisy attack, as the forwarded emails show up in the user’s sent folder, but it is still easy to access data that not even a privileged app should be able to access,” noted Silvanovich. Details of the remaining bugs can be found on Project Zero’s blog and its database of closed flaws.