This vulnerability allows attacker to access sensors on the device, its camera, GPS, microphone, pictures and even text messages. Additionally, it allows attacker to install malicious apps without the user's permission, alter existing apps and listen to incoming and outgoing messages and voice call in real time.
The flaw was discovered last year and Samsung was notified in December 2014. NowSecure also notified CERT who assigned CVE-2015-2865. Google Android security team was also notified. Samsung started providing a patch to mobile network operators in early 2015 and its unknown whether the carriers provided the patch to the devices on their network.
A list of the most probable Samsung devices which may be vulnerable has been listed by NowSecure.