CVE-2019-20617

Vulnerability

The vulnerability exists in Samsung mobile devices running Android 9.0 (P). The Secure Folder feature, intended to keep sensitive apps and data isolated, fails to properly mask preview data of recent apps. This allows the thumbnail or preview of apps used inside the Secure Folder to be visible outside the protected environment, leaking sensitive information about which apps were used and potentially their content [1].

Exploitation

An attacker with local access to the device or physical possession of the phone can view the recent apps screen. No special permissions or authentication bypass is required because the leak occurs at the system UI level—the preview snapshots are generated and displayed without being redacted before leaving the Secure Folder context. The user interaction required is minimal: the victim simply uses an app inside Secure Folder and then switches tasks or locks the phone, leaving the preview exposed.

Impact

An attacker who can see the device screen can identify which sensitive apps the user ran inside Secure Folder (e.g., banking, private messaging) and possibly glimpse screenshot content from those apps. This constitutes a privacy/information disclosure vulnerability, compromising the confidentiality of user activities intended to be isolated. No code execution or privilege escalation is achieved, but the trusted Secure Folder boundary is broken.

Mitigation

Samsung released a security update in March 2019 to address this issue, corresponding to SVE-2018-13764. Users should ensure their device is running the latest Android security patch level. If a patch is not available for a particular model, users should avoid multitasking immediately after using Secure Folder apps and consider using the "Secure Folder lock immediately" setting to reduce exposure. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.