The app you use to make every phone call on your Samsung device has a security hole that could let a malicious app silently hijack your phone's calling system — without you ever tapping anything.
Who's at Risk — and How Many People We're Talking About
Samsung is the world's largest Android smartphone maker, with over 1 billion active Samsung Android devices estimated globally. The vulnerability, tracked as CVE-2026-20983, lives inside the Samsung Dialer — the default phone app that ships on virtually every Samsung Galaxy device, from budget A-series phones to flagship S-series models.
Any Samsung device that hasn't received the February 2026 Samsung Monthly Security Release (SMR) is potentially exposed. That means hundreds of millions of everyday users — people making doctor appointments, banking calls, two-factor authentication calls — are carrying a phone with an unpatched door left open in one of its most sensitive apps. The flaw is rated HIGH severity with a CVSS score of 7.8 out of 10.
What Can an Attacker Actually Do to You?
Imagine you download what looks like a harmless flashlight or weather app from a third-party app store — or even one that slipped through Google Play's review process. Unknown to you, that app is carrying hidden instructions. Because of this vulnerability, that malicious app can reach directly into Samsung's Dialer app and force it to perform actions as if it were the Dialer itself — borrowing all the special permissions and trusted status that the phone app has earned on your device.
In practice, that means the attacker's app could launch screens inside the Dialer that you'd never normally see, manipulate call-related functions, or use the Dialer's trusted position on your phone as a stepping stone to do things a regular app would never be allowed to do. Think of it like a contractor who has a master key to your building — a bad actor who tricks that contractor can now walk through doors they were never supposed to reach. Your phone might look completely normal the entire time.
The scariest part: this requires no action from you beyond having a vulnerable phone. The attacker just needs another app — even a seemingly innocent one — already installed on the same device. There's no phishing link to click, no suspicious call to answer. The attack happens quietly, in the background, between apps.
The Technical Detail Security Researchers Need to Know
The root cause is an improperly exported Android application component within the Samsung Dialer package. In Android's security model, app components like Activities, Services, and Broadcast Receivers can be marked as either internal (private) or exported (accessible to other apps). When a sensitive component is exported without proper permission enforcement, any app on the device can send it an Intent — Android's messaging system for inter-app communication — and trigger functionality that should be locked down. This is a classic Intent injection via improper access control flaw, enabling local privilege escalation to the Dialer's permission set. The vulnerability carries a CVSS 7.8 HIGH rating under the local attack vector, reflecting that while remote exploitation isn't direct, the impact once a device has any malicious app installed is severe.
How Was This Discovered — and Has Anyone Been Attacked?
Samsung disclosed CVE-2026-20983 as part of its February 2026 Samsung Monthly Security Release (SMR Feb-2026 Release 1), the company's regular monthly patch cycle. At the time of writing, no active exploitation has been confirmed in the wild — meaning security researchers have not seen criminal or nation-state hackers using this specific flaw in real attacks yet. Samsung has not publicly attributed the discovery to a specific external researcher, suggesting it may have been found internally or through a private disclosure.
However, "not yet exploited" is a narrow window, not a safety net. Vulnerabilities of this class — local privilege escalation through exported components — are well-understood by Android malware authors. Once a patch is public, reverse-engineering the fix to build an exploit is a well-documented technique in the threat actor playbook. Security teams at organizations with Samsung device fleets should treat this as urgent even without confirmed exploitation.
What You Should Do Right Now
Whether you're an individual Samsung user or an IT administrator managing a corporate fleet, these three steps are your immediate action plan:
-
Update your Samsung device to SMR Feb-2026 Release 1 or later — immediately.
Go to Settings → Software Update → Download and Install. The patch is the only complete fix. Confirm your security patch level reads February 2026 or newer in Settings → About Phone → Software Information. If your device is no longer receiving Samsung security updates, consider this a serious risk factor. -
Audit every third-party app installed on your device — especially anything from outside the Google Play Store.
The attack requires a malicious app to already be on your phone. Go to Settings → Apps and review the full list. Remove any app you don't recognize, haven't used in months, or downloaded from a browser link rather than an official store. On Android, sideloaded apps — those installed outside the Play Store — are your highest-risk category. -
Enterprise and IT teams: enforce the February 2026 patch level as a compliance requirement in your MDM policy immediately.
If you manage Samsung devices through Samsung Knox, Microsoft Intune, Jamf, or any other mobile device management platform, set a minimum OS security patch date of 2026-02-01 and flag non-compliant devices for immediate remediation. Restrict sideloading organization-wide if you haven't already — this is the delivery vector that makes this class of vulnerability exploitable at scale.
CVE: CVE-2026-20983 | CVSS: 7.8 (HIGH) | Platform: Samsung Android | Patch: SMR Feb-2026 Release 1 | Exploitation Status: No confirmed active exploitation at time of publication.