WavebreakmediaMicro - Fotolia

Android Samba app from Google only uses broken SMBv1

Experts said the new Android Samba app from Google supported only unsafe SMBv1 despite susceptibility to WannaCry exploits and unclear demand from users.

In an example of bad release timing, Google debuted its new Android Samba app on the heels of major exploits targeting the insecure version of the SMB protocol implemented in the app.

In recent months, vulnerabilities in the Server Message Block (SMBv1) protocol have been exploited on Windows with the EternalBlue tool leaked from the NSA, as part of the WannaCry and Petya ransomware attacks, as well as the SambaCry attacks on Linux. While it is unclear whether these flaws are present in Google's app, the Android Samba app only supports SMBv1.

Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, noted the release was likely bad timing by Google.

"It's entirely plausible that the app was on a product roadmap for a while, before the whole WannaCry/GoldenEye incident, and that part of coding with the SMBv1 was built before the incident," Arsene told SearchSecurity via email. "Either way, not only has support for SMBv1 been dropped for years, but everyone has been strongly encouraged to disable it for obvious security reasons."

Justin Jett, director of audit and compliance for cybersecurity vendor Plixer International in Kennebunk, Maine, said that since Google's Android Samba app is "a direct fork of Samba, it is inherently as secure as Samba."

"SMBv1, however, is a part of the Windows Operating System, and patching the Microsoft OS is the only known way to eliminate the known EternalBlue SMBv1 vulnerability. SMBv1 is still prevalently deployed across the globe, and this new Samba app from Google enables Android and Chrome OS users the opportunity to connect Windows share drives," Jett told SearchSecurity. "The Samba app does not influence the state of vulnerability for SMBv1; it's whether or not the Microsoft patch has been applied. Subsequent versions, SMBv2 and v3, have more robust security embedded, but SMBv1 is widely used, and the Google app is targeted for those users."

Arsene noted that it's unlikely Google's Android Samba app will lead to a reproduction of SambaCry for Android. "It's more likely that the Samba server still using the SMBv1 protocol would be far more at risk than the Android device."

Arsene also said it was unclear if there was demand for Google to release its own Android Samba app.

"Google Play does have quite a few Samba file-sharing clients which appear to have clocked in a couple of million downloads," Arsene said. "Whether there was enough demand for Google to release their own app is questionable, especially since it doesn't seem to offer a lot more features than existing apps."

The most popular Android Samba app in Google Play, AndSMB, has between one and five million downloads, but appears to have fallen prey to the same issue as Google's app. AndSMB only supported SMBv1 until version 3.5, released June 5, 2017, which added "experimental" support for SMBv2 and v3.

Google did not respond to requests for comment at the time of this post.

Next Steps

Learn about Microsoft deciding to disable SMBv1 by default in Windows 10.

Find out how ransomware is getting more sophisticated.

Get info on ransomware apps that were pre-installed on some Android devices.

Dig Deeper on Application and platform security