Beginning with the Galaxy S24 series, Samsung has been offering up to seven years of mobile security updates.[1] As one of the longest periods of security support available for mobile devices, these updates help to keep customers’ smartphones secure for longer.
This peace of mind is important when navigating our hyperconnected age as cyber threats become more common and are often undetectable until too late. The global cost of cybercrime is expected to surge in the next four years, rising from $9.22 trillion in 2024 to $13.82 trillion by 2028.[2] Therefore, it is critical to use a device that benefits from an ecosystem of protective measures — such as security updates.
But where do these updates come from, and why do they pop up on your phone so regularly? Deep at the heart of Samsung’s Mobile eXperience Business lies Samsung Project Infinity, a classified operation. Samsung Newsroom met the specialist units within Samsung Project Infinity who secure Galaxy devices around the clock.
Deep Diving for Unknown Dangers
The Cyber Threat Intelligence (CTI) taskforce is a reconnaissance unit within Samsung Project Infinity along with the Red (RED), Blue (BLUE) and Purple (PURPLE) Teams that go beyond lab conditions to identify real-world dangers. RED and BLUE perform proactive attack and defence functions, seeking out vulnerabilities and taking measures against them. PURPLE is a special operations unit that acts as both a sword and shield for specific critical areas. These teams are strategically deployed in various countries all over the world including Vietnam, Poland, Ukraine and Brazil.
They work covertly. The only time you’ll ever notice them is when you get an update containing a security patch.
CTI is dedicated to identifying potential threats and stopping hackers from taking control of your device by staying on top of the latest risks. They work to prevent malicious actions, address threats involving the trade of stolen information and ensure your smartphone or tablet stays securely under your control.
The taskforce protects Galaxy’s internal infrastructure — safeguarding customer data and employee information such as access credentials — since any confidential information stolen by a hacker could be sold or abused for further attacks.
To identify potential threats and deploy countermeasures, CTI regularly explores the Deep Web and the Dark Web — bustling markets for security exploits, spyware, malware, ransomware, illicit tools and confidential corporate and customer information.
Justin Choi, Vice President and Head of the Security Team, Mobile eXperience Business at Samsung Electronics, leads CTI. With over 20 years of experience in the U.S. tech industry as a cybersecurity authority and ethical hacker, Choi has collaborated globally to fortify security for major financial and tech firms. His expertise in identifying and mitigating zero-day threats drives the development of advanced security measures that protect over a billion Galaxy devices around the world.
“Occasionally, we engage in security research by simulating real-world transactions,” said Choi. “We closely monitor forums and marketplaces for mentions of zero-day or N-day exploits targeting Galaxy devices, as well as any leaked intelligence that could potentially serve as an entry point for system infiltration.”
As an ethical or “white hat” hacker — whose deep understanding of hacking helps to identify and address vulnerabilities — Choi explained that any hint of suspicious behaviour within the system is swiftly traced to its origin.
For example, requests for excessive privileges, unexpected behaviour, and network traffic with unknown servers could point to a potential breach, at which point CTI traces Indicators of Compromise to identify the threat actors and the purpose of the attacks.
“Once we spot these kinds of threats, we collaborate with developers and operators to lock everything down for preventing attacks,” said Ranger, a CTI member. (Samsung Project Infinity staff protect their identities with aliases to avoid being personally targeted by hackers.) “We even communicate with other departments and partners on private channels to avoid taking any chances.”
CTI also studies threat actors to decipher their behavioural patterns. Understanding their motivations and objectives can help reveal their attack methods and provide insights for fortification.
“Sometimes, an attack is financially or politically motivated,” added Tower, another CTI member. “Sometimes, they just like to show off.”
Eliminating Threats Before They Become Real
While real-time threat detection is crucial, a robust offensive security policy is equally vital. RED and BLUE are inspired by military practices in which a red team simulates enemy attacks and a blue team creates defences to ensure device security in the face of ever-changing threats. In Samsung’s approach, RED simulates hacker attacks and designs new attack scenarios to identify potential vulnerabilities, whereas BLUE develops and implements patches to protect against them.
Specialising in combating zero-day attacks, the teams address vulnerabilities before they can be exploited to prevent unauthorised access or data breaches. One notable data breach is the Pegasus incident in 2020 that left an operating system vulnerable.
The RED taskforce initiates their project by investigating Galaxy devices. They continuously use and analyse new features in Galaxy and delve into recently disclosed vulnerabilities, while envisioning potential security threats against users. By conducting diverse research, once they select a target that presents any potential risks to actual Galaxy users, the RED taskforce begins their quest to detect 0-day vulnerabilities in the target.
“One thing we do is fuzzing,” said Arrowhead, a RED member. “That throws all kinds of unexpected data at software to uncover any hidden flaws.”
Other methods such as code auditing as well as static and dynamic analyses help develop a comprehensive understanding of a system’s health and security. The team contextualises each threat in everyday scenarios to prevent threats to Galaxy devices.
“It’s not so urgent if there’s a flaw with the alarm clock, but a glitch in location data could lead to somebody being unknowingly followed through their device,” added Gate, a BLUE member. “Once we discover a hypothetical weakness, we hurry to patch it and roll out an update to the relevant models.”
The Specialists Among Specialists
PURPLE acts as both aggressor and protector to ensure the security of critical areas, the key features of Galaxy devices. As the name suggests, PURPLE combines elements of RED and BLUE’s skillsets — however, an extra in-depth knowledge of the security measures built into the mobile devices sets this team apart.
“Samsung collaborates with external security researchers to uncover vulnerabilities, but our own intimate knowledge of Galaxy systems allows for more effective targeting of potential weak spots,” said Sphinx, a PURPLE member.
“The better you know a system, the better you can protect it,” added Oracle, another PURPLE member.
Occasionally, PURPLE is called upon to address issues nobody else can including formulating new security requirements, designs and features. However, it isn’t just about keeping Galaxy devices and the Samsung Knox security platform in good shape. Samsung also advises and proposes solutions to chipset and network vendors depending on their requirements.
Samsung’s position as a hardware leader means the company can not only scale its security innovations but also cover its secure supply chain. In this way, Galaxy is contributing to the security of next generation of chips.
Perhaps surprisingly, the motivation behind this work sometimes has nothing to do with technology. PURPLE members perform with a sense of duty to keep people’s devices secure, and they feel a certain pride and satisfaction in finding and addressing vulnerabilities.
A System of Safeguards
CTI, RED, BLUE and PURPLE are critical components of Galaxy’s security strategy — but Samsung Project Infinity juggles many initiatives including the Samsung Mobile Security Rewards Programme which works with the wider security community to further scrutinise Galaxy’s defences.
This year, Samsung has boosted this program with a maximum reward amount of $1 million — its highest cash incentive yet for those who are able to identify the most severe attack scenarios within Galaxy devices.
“It’s crucial to encourage participation from the security community in identifying potential vulnerabilities,” said Choi. “Especially in a world where cyberattacks are increasingly intelligent and disruptive.”
All of this goes hand in hand with Samsung’s longstanding model of collaboration with hundreds of partners including carriers, service providers, chipset vendors and more. While regularly working with these partners as well as the wider community to identify threats and develop patches, Samsung Project Infinity ensures Samsung proactively takes initiative and responsibility for reinforcing its own areas of weakness.
“Just because we have internal specialists, this doesn’t mean we don’t work with others,” added Choi. “Having more eyes gives us a better chance at spotting any vulnerabilities and helps us keep users safe.”
The next time you see an update, don’t hesitate. Hit “install” and continue your online journey with peace of mind, knowing that there’s a whole team looking out for you.
1 Timing and availability of security maintenance releases for Samsung Galaxy devices may vary by market, network provider and/or model.
2 Statista Market Insight, “Cybercrime Expected To Skyrocket in Coming Years,” Chart: Cybercrime Expected To Skyrocket in Coming Years | Statista