THREAD: If you have a @SamsungMobile phones, whatever your phone model, an attacker with a physical access to your phone can capture your network traffic without your consent. Let me show you

⬇️⬇️⬇️

Step 1: Open the Calculator app

Step 2: Type (+30012012732+

The DRParser Mode app is launched

Step 3: Type *#9900#

The Service Mode app is launched. You have already a lot of cool options:
- run dumpstate/logcat/modem log
- enable silent logging from boot
- media db dump
- enable seclog
- ...

Wait why these 3 buttons are in black?

Low battery dump, tcp dump start, IMS logger, it looks like cool things 😁

tcpdump is a command-line packet analyzer, it is use a lot to capture network traffic tcpdump.org
When I click on the "tcp dump start" button, a pop up appears. They implemented an OTP mechanism

Wait a second, my phone is not connected to Internet, so this OTP mechanism is a local mechanism. Time for some magic

I reversed the ServiceMode app and created a small proof of concept with the CheckOTP method.

Now, I can run my POC, enter the key given in the pop up and hop tcpdump is running on the phone aka all the network traffic is captured

To retrieve the capture:
1. Click on "TCP DUMP STOP"
2. Click on "COPY TO SDCARD"

The capture is available in /sdcard/log/tcpdump/tcpdump_[interface]_[timestamp].pcap

Bonus: You can also record the victim' screen for 1 hour

Step 1: Click on the "IMS LOGGER" button (one of the 3 black buttons).

IMSLogger+ is launched

Step 2: Click on "Filter Options"

Step 3: Enable the "Record screen" option and voila!

The video will be available in /sdcard/ims_logs/

These issues has been disclosed responsibly to Samsung 3 weeks ago