CVE-2016-11044

Vulnerability

During the installation of applications on Samsung mobile devices running Android Lollipop (5.0/5.1) or Marshmallow (6.0) with fingerprint support, the verification of the application's cryptographic signature can be bypassed. This allows an application to be installed without proper signature validation. The affected software versions are L(5.0/5.1) and M(6.0).

Exploitation

An attacker with the ability to install applications on the device (e.g., through physical access or via a malicious app) can craft an application with an invalid or spoofed signature that bypasses the signature check. The exact attack vector and prerequisites are not disclosed in the available references.

Impact

Successful exploitation allows the installation of an application that would normally be rejected due to invalid or mismatched signatures. This may lead to execution of untrusted code within the application sandbox, potentially compromising user data or device functionality depending on the installed application's permissions.

Mitigation

Samsung addressed this vulnerability in a security update released in June 2016 as part of the Samsung Mobile Security program (SVE-2016-5923). Users should update their devices to the latest firmware. No workaround is documented for unpatched devices.