Sign in Subscribe
Blog

Why I Hate Samsung

Why I Hate Samsung
Photo by Anh Nhat / Unsplash

I'm a very passionate person. I'm crazy about the Eurovision Song Contest, the Three Body Problem trilogy, and music. But passion goes both ways, and as much as I deeply love some things, I also deeply hate others. In a recent post I acknowledged my deep hatred of advertising, but I also hate - for example - the entire state of Florida and Samsung. (Note: none of these are related.)

In fact, I am known for how much I hate Samsung, and I wear that like a badge of honor.

Post by @chadr@infosec.exchange
View on Mastodon

Occasionally I'll mention this fact, and lately several people have asked me to elaborate. I've touched on most of these reasons over the years, but never in a single place, so in this post allow me to consolidate my reasoning and get curious readers up to speed on exactly why Samsung has earned a spot in my personal hatred hall of fame.

🗒️
This list is in no particular order, but I did try my best to group things together logically.

Weeping Angel

Picture it: the Internet of Things, 2017. The CIA has developed a new exploit that can put your smart TV into a fake "off" mode where it appears to be off, but the camera and microphone remain secretly active, allowing them to see and hear what goes in someone's private home.

It was called "Weeping Angel," and as far as we know it exclusively targeted Samsung TVs. There were probably a few reasons for this, and to be fair not all of them are Samsung's "fault."

For example, at the time Samsung was the leader in Smart TV sales by a wide margin, so if you were gonna target someone via their Smart TV (like a foreign spy or official), odds were they had a Samsung.

Other possible explanations are their fault, however, like having an overly complex software with lots of potential attack surfaces. Samsung's TV software is large and complicated because it allows for so many integrations and features, which makes it attractive to end users. But large, complicated code is also much harder to secure and keep safe.

This will be a recurring theme in this blog post: sacrificing quality and safety in the name of more shiny features that attract paying users.

Bloat

Most Androids come preloaded with apps the user didn't ask for and in some cases doesn't want, such as Facebook or the manufacturer's proprietary browser. In many cases, you can't delete these apps. Techies call this "bloatware."

Bloatware is bad for privacy because it means that more third-party companies have access to your data. It's also bad for your security because more apps means more attack surface.

Samsung goes a step further than most manufacturers by trying to create their own entire ecosystem. This means a lot of duplicate apps, thus bigger code, and thus added complexity built on top of the existing stock software. You can probably guess where this is going.

libimage.quram.so

In 2024, spyware makers found an exploit in Samsung's libimagecode.quram.so library use for image processing. This allowed attackers to record microphone audio, phone calls, and more without the victim's knowledge.

It should be noted that as far as we know this was only used in state-level malware (like the infamous Pegasus) meaning that it's very unlikely this would've been deployed on average users (though that's not without precedent).

Regardless, the point is that the vulnerability existed because Samsung decided they needed to reinvent the wheel rather than use existing, proven standards that probably would've likely met their needs just fine if they wanted to make it work.

AppCloud

Budget Android devices are notoriously worse for privacy than flagship, name-brand models, usually because budget phones include more bloatware (especially from third parties) than usual. Samsung is no exception here.

The Galaxy A and M series specifically shipped with a pre-installed app called AppCloud.

AppCloud is already a user-hostile piece of software that (in my opinion) is worse than typical bloatware because it's sole purpose is to serve you ads and recommend other apps via push notifications.

Like most bloatware, AppCloud can't be uninstalled without some serious tech work beyond the skill of most average users, and sometimes even then it reappears after updates.

What really takes the cake is that it collects tons of data without your knowledge or consent such as biometric data, IP addresses, device fingerprints, and sometimes can even install apps without interaction from you.

Pwn2Own

There's a saying that madness is doing the same thing repeatedly and expecting a different result. If so, Samsung is completely mad.

In 2022, 2023, 2024, and 2025, each successive generation of the Samsung Galaxy was consistently hacked using the exact same type of vulnerability at "Pwn2Own," an international hacker conference where security researchers show off vulnerabilities and report them to companies to be fixed. These "media parsing flaws" - to me - illustrate a failure to learn from the past as the same underlying weakness appeared in Samsung's flagship model year after year in each new version.

Disclaimer: maybe I'm being an idiot who doesn't know how code works. Maybe it's hard to secure against an entire class of vulnerability. The researchers didn't always use the same steps to hack the devices, but each time the vulnerabilities fell under the same umbrella.

Source Code Breach

In 2022, Samsung was one of several large companies hit by the up-and-coming Lapsus$ ransomware gang. In the case of Samsung, they got ahold of source code and leaked it online, around 190GB.

Samsung got off relatively easy in this breach. While exposing the source code may have theoretically made it easier for cybercriminals to find new exploits, there are no confirmed cases of this happening.

It's worth noting, though, that I was unable to find any public expert analysis of Samsung's code either way - nobody came forward to say "wow this is really bad code" or "wow this code is pretty great."

Compare this fallout to some other Lapsus$ victims like Nvidia, Okta, and Rockstar Games who had much more damaging content exposed, including user data.

2G

Up until now you could argue that Samsung is a typical tech company. Big companies make for big targets, and nobody's got a perfect security track record. Even if they are increasing risk by bloating their code, that's not particularly unique. And you'd be right.

Here's where we move past "sloppy negligence" into "malice."

2G is the second generation of cellular network technology. To give you an idea of how old it is, it debuted in the 1990s. 3G came along in the 2000s (and now 4G & 5G). 2G has been phased out in many parts of the world, but is still fairly common (particularly outside of the West).

For the purposes of this blog post, the thing you need to know is that 2G has few (if any) protections from a privacy and cybersecurity standpoint.

Because of all this, Android has included a toggle to disable 2G ever since Android 12 (October 2021 - March 2025). Samsung, however, actively removes this toggle in most countries.

I'm honestly completely baffled why they would do this.

There is literally no reason to remove this toggle.

2G is on by default in Android, and studies show that most people don't change the default settings, meaning it presents no usability challenges to users in regions where 2G remains prevalent.

All this does is prevent users in more developed countries from being able to better protect themselves, remove users' control of their data and devices, actively put users at risk, and make more work for Samsung to remove the toggle in every new release.

Data Collection Practices

Pretty much all companies have garbage privacy practices. Even the most privacy-respecting of the Big Tech companies still leaves a lot to be desired by default. So really this last point is just the cherry on top:

By default, Samsung devices collect massive amounts of personal data from users.

Some of this is pretty standard stuff you'd expect for a phone to function like IMEI, model, and operating system information.

Others are a bit more questionable, like advertising ID and location.

Some are downright "wtf," like biometric data, usage patterns, device settings, and even what you type on the keyboard.

It should be noted that this privacy policy applies across all their products, so while I've focused mostly on phones in this blog post, Samsung collects basically any data they can from any device you own from them that hits the internet. That includes fridges, washing machines, Blu-Ray players, and whatever else you can think of.

(And don't even get me started on their fridges.)

is this post bringing you value?

The New Oil is supported by our audience. If you're getting value out of our work, please consider supporting us.

Support Us!

Context

It's important to note that none of the things I've listed here are inherently worthy of such intense condemnation on their own. I admitted that earlier and I'll admit it again here. The NSA has backdoored many products. Google devices have had plenty of zero days. Apple has had data breaches.

So why am I extra tough on Samsung?

You probably don't realize how massive of a company Samsung is.

You probably know that they make phones and TVs and some household appliances.

Maybe you know that they're building one of the largest semiconductor factories in the world.

What you may not know is that construction project is entirely in-house. Samsung has their own construction and engineering companies (yes, they're two separate companies).

You also may not know that they also have an insurance arm covering fire, marine, and life (again, two separate companies).

Or that they have a biologics arm.

Or an entire marketing subsidiary.

Samsung is such a massive company that when their founder died in the 1980s, they voluntarily split themselves up and still rebuilt into one of the largest international conglomerates on the planet.

As of 2026, they have the 8th largest brand value in the world.

If you haven't skimmed their Wikipedia page, you should. It's insane how many industries Samsung is involved in and how much money they have.

That's why I'm so tough on Samsung.

In case you took my word for it, here are the top 10 brands from Brand Directory in order:

  1. Apple
  2. Microsoft
  3. Google
  4. Amazon
  5. Nvidia
  6. TikTok
  7. Walmart
  8. Samsung
  9. Facebook
  10. State Grid Corporation of China

Out of all those brands, only 3 of them manufacture cell phones and ironically the other two make the most secure phones on the market: Apple and Google. In fact, the next phone manufacturer doesn't appear until #58 (Huawei).

There is absolutely no reason that Samsung can't make their phones more secure. The gap between their resources and those of Apple and Google are mere miles, but the gap in privacy & security is lightyears. They have more in common with Huawei than Apple or Google in that sense.

But instead of putting money into cybersecurity, code, or R&D, they'd rather spend that money on marketing - like a celebrity endorsement from BTS, who (for readers who don't know) is currently one of the biggest musical acts on the planet.

Obviously celebrity endorsements are nothing new. Companies are always trying to market, and for some reason we seem to think that famous people are automatically trustworthy experts.

But surely a company like Samsung - who made a net income of $25bn in 2024 - can afford both BTS and actually investing making their products secure and private.

To be clear: I'm not mad that Samsung pays for celebrities. I'm mad that they're choosing to create a false dichotomy.

Do you want a phone that's got all these cool features or a phone that has good privacy and security? Samsung has the resources to do both, yet chooses to prioritize one disproportionately.

Apple paid for Zoë Saldaña and Google paid for Keke Palmer. Both still manage to make their phones actually secure. (Maybe Saldaña and Palmer cost less than BTS, but that just further proves my point about Samsung's backwards priorities. Apple and Google can both afford bigger names but seemingly choose to spend that money on making a decent product instead.)

When you look at these issues I've listed in this blog post alongside the context of Samsung as a company, what emerges (to me) is an image of a corporate culture that doesn't respect or value users even in the slightest, bare minimum sense and instead engages in highly "gimmicky" marketing.

Samsung is a company who has immense resources at their disposal but still decides to cut corners. At times they even actively and knowingly make security & privacy harder for users. The decisions they make are confusing if you value user data.

  • Why do their phones keep getting hacked the same way?
  • Why are they installing borderline-malware on their own budget devices, as if poor people deserve less privacy?
  • Why do they keep degrading the user experience just so they can keep bloating their code and reinventing the wheel?
  • Why haven't they introduced their own versions of Lockdown Mode or Advanced Data Protection or end-to-end encrypted RCS?
  • Why do they remove 2G protection but add a toggle for Memory Tagging Extension (and make it opt-in instead of opt-out, no less)?
  • Why did they add so many burdensome restrictions on unlocking the bootloader that it drove away custom ROM makers while Google remains (relatively) open and ROM-friendly?
⚠️
To be clear: I'm not claiming Apple and Google are "the good guys," but at least they've demonstrated enough respect for their users to create secure devices with better defaults than Samsung. They picked "both and" instead of "either or."

Samsung defenders will likely argue I'm cherry-picking and being unfair. They would likely point to a slew of Samsung protections announced in recent years.

For starters, Samsung has gotten a lot of praise for their "Knox" features but Daniel Micay argues that most of Knox's innovations have become standard-issue, making it more marketing than substance these days.

Their enhanced theft protection and on-device AI privacy features are neither exclusive nor innovative. Enhanced theft protection is a standard Android feature (all they had to do was not remove it, same with the 2G toggle) while both Google and Apple try to do at least a good chunk of AI processing locally for reasons that go beyond privacy (such as performance).

One original release from Samsung is their post-quantum "Secure Wi-Fi" feature, however this seems to me to more closely resembles an automatic VPN, which means the actual value it offers is highly debatable rather than a real problem being solved (though I can at least recognize the one time they made privacy and security "on by default," even if the efficacy is highly questionable).

Their latest "privacy display" announcement has been lauded by other privacy advocates, but once again I'm not convinced that solves a serious problem either. There has been a lot of attention paid to shoulder-surfing attacks but how common are those compared to all the privacy invasions and vulnerabilities that Samsung phones don't defend against but easily could? It strikes me as "privacy theater."

The example I like to use is that Samsung is like Oreos. I love Oreos. They're one of my favorite junk foods. They're delicious. But nobody should eat a box of Oreos for dinner. Oreos have no nutritional value. They taste delicious, but there's no real substance there.

The difference is that nobody is under the impression that Oreos are a valid dinner. People do have the belief that Samsung phones are at least as good as anything else out there on any metric, if not better.

I hope this blog post has helped dispel that belief.

If you want an Android experience that will actually offer you meaningful control over your digital life, get a Pixel. Even if you never flash it with something like GrapheneOS, you'll still be handing over your data to fewer parties (since all the preinstalled apps are Google-owned anyways) and you'll have a device with significantly better security. And while I'm not going to pretend Google is a saint, they've at least build a phone that offers some kind of substance underneath all the flashy toys and features.

Tech changes fast, so be sure to check out our website for all the latest recommendations, tools, services, and more.

The New Oil

Read next

Comments ()