Samsung Galaxy S6 Edge
The domain in question was used to control a popular stock app called S Suggest, which came pre-installed in older model Samsung phones Reuters

Millions of Samsung users were reportedly left vulnerable to hackers after the popular smartphone manufacturer allowed a domain to expire, which was used to control a popular stock app on older models. Security experts said that hackers could have potentially taken control of the domain to install a backdoor or distribute malware-laced apps directly to scores of Samsung users.

The domain in question was used to control a popular stock app called S Suggest, which came pre-installed in older model Samsung phones, Motherboard reported. According to João Gouveia, CTO of cybersecurity firm Anubis Labs, who purchased the domain, ssugest.com, Samsung recently allowed it to expire. The researcher took control of the domain on Monday (12 June) and within 24 hours, noted 620 million "check ins" from over 2.1 million devices.

Gouveia said that the domain had several permissions, including installing apps or rebooting devices, which could have potentially been abused by hackers. "Someone with bad intentions could have grabbed that domain and to nasty things to the phones," Gouveia told Motherboard.

Samsung denies claims devices could have been hacked

However, Samsung disputed Gouveia's claims. The firm said that taking control of the domain would "not allow you to install malicious apps, it does not allow you to take control of users' phones". The firm discontinued S Suggest in 2014.

However, Gouveia's claims were backed up by another independent security researcher, Ben Actis, who said that if the domain had been taken over by a hacker, millions of Samsung devices could have been vulnerable to backdoors and malicious apps. Actis also said that "someone malicious could install whatever they wanted", after Samsung allowed the domain to expire.

"They f****d up," Actis said, referring to Samsung. "The app can definitely install other apps."

However, Samsung users are currently safe from being targeted by hackers, since the domain is now under Gouveia's control. The researcher said that he would be willing to give the domain back to Samsung.

It remains unclear as to why Samsung allowed the domain to expire. It is also uncertain as to how long the domain was left adrift before it was snapped up by Gouveia.

Samsung's latest security gaffe comes after a security researcher found the tech giant's new mobile operating system (OS) riddled with vulnerabilities, which even led him to deem it as the "worse code I've ever seen".

Update:

After publication of this article, a Samsung spokesperson provided IBTimes UK with the following statement in an email:- "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. The report involves a Samsung service that was discontinued in May 2014. We are aware of the report in question and are looking into the matter."