MANILA, Philippines – In doing research on the Samsung Galaxy S6 Edge, Google researchers discovered and reported 11 vulnerabilities that could be used to exploit the phone or steal data from it.

A post by Natalie Silvanovich on the Google Project Zero blog on Monday, November 2, explained that while Google’s Android Open Source Project forms the basis for original equipment manufacturers (OEMs) to build their own mobile devices, extra code added by OEMs – along with the frequency of OEM patches and security updates – could harm the overall security of a phone.

The team spent a week trying to see how many vulnerabilities they could find on the Galaxy S6 Edge.

Of the 11 they did find, 3 were termed as logic issues that were “trivial to exploit.” This meant the time it took to find, exploit, and use a particular security issue was “very short.”

Included in the list of vulnerabilities was “a directory traversal bug that allows a file to be written as system.” The flaw would let attackers cause system files to be “written in unexpected locations.”

One other explained bug would have allowed a user’s emails to be forwarded conspicuously to another person’s account – with a corresponding email added to the attacked user’s sent folder.

Most of the issues have been fixed thanks to a patch done over-the-air within 90 days of Project Zero reporting the issues, but 3 of the lower severity issues will reportedly not be patched till this month.

The post also took note of the 3 Common Vulnerabilities and Exposures (CVE) numbers for these lower severity issues.

“CVE-2015-7898 and CVE-2015-7895 require an image to be opened in Samsung Gallery, which does not have especially high privileges and is not used by default to open images received remotely via email or SMS (so an exploit would require the user to manually download the image and open it in Gallery),”  Silvanovich said.

She added, “The other unfixed issue, CVE-2015-7893, allows an attacker to execute JavaScript embedded in emails, which increases the attack surface of the email client, but otherwise has unclear impact.” – Rappler.com