Samsung says you can opt out of tracking and advertising. But your phone has 24 tracking addresses permanently built into its software — including Samsung ad servers, Google analytics, and Facebook connections. These cannot be turned off through normal phone settings. The tracking service that watches which apps you use is turned on by default. Samsung Members is supposed to be a help and support app. But it asks for 65 permissions including the ability to record your microphone, access your camera, read your contacts, track which apps you use, read system logs, install and delete other apps, and capture your screen. No support app needs these capabilities. It's actually a data collection tool wearing a customer support disguise.
What they claim: Samsung Members app is presented as a support and community app for Samsung device owners — a place to get tips, diagnostics, and support.
What we found: The Samsung Members app requests 65 permissions including RECORD_AUDIO, CAMERA, READ_CONTACTS, CALL_PHONE, ACCESS_FINE_LOCATION, PACKAGE_USAGE_STATS, READ_LOGS, INSTALL_PACKAGES, DELETE_PACKAGES, SYSTEM_ALERT_WINDOW, CAPTURE_VIDEO_OUTPUT, CAPTURE_SECURE_VIDEO_OUTPUT, MANAGE_MEDIA_PROJECTION, WRITE_APN_SETTINGS, DIAGMON, MDM_CONTENT_PROVIDER, and READ_PHONE_STATE. A support app does not need to record audio, capture video output, install/delete packages, read system logs, access MDM controls, modify APN settings, or track which apps you use. Combined with firmware endpoints to analytics.samsungknox.com and config.samsungads.com, this app functions as a comprehensive device telemetry and surveillance tool disguised as customer support.
What they claim: Samsung markets the Galaxy S24 as "secured by Knox" — a hardware-backed security platform that protects user data with ARM TrustZone isolation.
What we found: Despite Knox security branding, the Galaxy S24 has been targeted by LANDFALL commercial-grade spyware (CVE-2025-21042, CVE-2025-21043) exploiting zero-day vulnerabilities in Samsung's own image processing library. CVE-2024-49415 enables zero-click attacks via RCS messages (default on S24). CVE-2024-44068 allows privilege escalation on Exynos processors. The December 2024 security update alone patched 6 critical and 28 high-severity vulnerabilities. Samsung's expanded attack surface (550+ pre-installed apps) directly undermines the Knox security promise. Knox's remote wipe capability also means Samsung maintains backdoor-level hardware control over devices users have purchased.
What they claim: Samsung privacy policy states biometric data "remains on your device and is not transferred to or accessed by Samsung." Samsung claims to respect user privacy with device-local biometric processing.
What we found: Samsung Members app (com.samsung.android.voc) requests BODY_SENSORS, USE_FACE, MANAGE_IRIS, RESET_IRIS_LOCKOUT, USE_IRIS, USE_FINGERPRINT, BIOMETRICS_PRIVILEGED, and FINGERPRINT_PRIVILEGED permissions — giving it deep access to biometric hardware and data. The app also contains 3 third-party trackers (Adobe Experience Cloud, Google Analytics, Google Tag Manager) that could theoretically exfiltrate biometric-adjacent data. While Samsung claims biometrics stay on-device, the combination of biometric access + embedded trackers + internet permission creates a pipeline where biometric usage patterns could be correlated with advertising profiles.
What they claim: Samsung's Customisation Service privacy notice states it collects "the frequency, time and duration of app usage" but claims it collects "no information on what actions you have performed within an app."
What we found: Samsung Members app requests PACKAGE_USAGE_STATS (detailed app usage statistics), READ_LOGS (system-level logging data), DIAGMON (diagnostic monitoring), and CAPTURE_VIDEO_OUTPUT/CAPTURE_SECURE_VIDEO_OUTPUT (screen capture capabilities). These permissions go far beyond tracking app frequency and duration — READ_LOGS can capture detailed system activity, DIAGMON accesses deep diagnostic data, and screen capture permissions could theoretically observe in-app actions. The claim of not tracking in-app actions is contradicted by the capability to do so.
What they claim: Samsung privacy policy presents Samsung as the entity collecting and managing user data, giving the impression of a single data controller.
What we found: Firmware analysis reveals a dual data collection architecture unique to Samsung phones. 24 hardcoded endpoints span three separate corporate entities: Samsung (config.samsungads.com, analytics.samsungknox.com, bixby.samsungcloud.com, etc.), Google (play.googleapis.com, app-measurement.com, firebaselogging-pa.googleapis.com, android.clients.google.com), and Meta/Facebook (graph.facebook.com, mqtt-mini.facebook.com, edge-mqtt.facebook.com). Pre-installed Meta services maintain persistent Facebook connections even without user-installed Facebook apps. Users face simultaneous data collection by three separate corporations with no single opt-out mechanism.
What they claim: Samsung privacy policy states they collect data to "provide, maintain and improve" services and for "personalised experiences." The policy frames data collection as serving the user's interests.
What we found: Samsung Members app contains 3 third-party trackers: Adobe Experience Cloud (enterprise marketing analytics), Google Analytics (web/app analytics), and Google Tag Manager (tag deployment for marketing). These are advertising and marketing analytics tools, not service improvement tools. Adobe Experience Cloud is specifically designed for enterprise-scale marketing campaigns and customer profiling. Combined with PACKAGE_USAGE_STATS permission (which apps you use and when) and ACCESS_FINE_LOCATION (precise GPS location), Samsung is building detailed user profiles for advertising, not service improvement.
What they claim: Samsung's privacy policy states users can manage their privacy preferences and opt out of data collection for advertising purposes.
What we found: Samsung Galaxy S24 ships with over 550 pre-installed apps including Meta App Installer, Meta App Manager, and Meta Services that cannot be fully uninstalled — only disabled. These apps use special system privileges that bypass Google Play Store security measures and regularly connect to Facebook's servers regardless of user preference. Samsung's Customisation Service is enabled by default and must be manually found and disabled (Settings > Privacy > Customisation Service). The actual privacy controls are buried across multiple settings menus across two separate ecosystems (Samsung and Google), making comprehensive opt-out practically impossible for average users.
What they claim: Samsung privacy policy states users can control their data and opt out of personalized advertising. Samsung Customisation Service privacy notice says users "may choose to disable" ad personalization.
What we found: Firmware analysis reveals 24 hardcoded telemetry endpoints including config.samsungads.com, analytics.samsungknox.com, samsung.telemetry.eyeo.com, log-ingestion.samsungacr.com, and devicelog.samsungcloudsolution.net. These endpoints are built into the operating system and cannot be disabled by the user without root access or DNS-level blocking. Additionally, Google telemetry endpoints (play.googleapis.com, app-measurement.com, firebaselogging-pa.googleapis.com) and Facebook endpoints (graph.facebook.com, mqtt-mini.facebook.com) are hardcoded alongside Samsung's own. The Samsung Customisation Service is enabled by default and tracks app usage frequency, time, and duration.
What they claim: Samsung's Galaxy AI privacy disclosure states "personal data is never stored long-term or used for AI training" and data is "discarded after 30 days."
What we found: Samsung's own Galaxy AI documentation reveals Live Translate uses "hybrid processing" — conversations are initially processed locally then encrypted prompts are sent to Samsung's US-based AWS servers for LLM completion. Cloud-first AI services transmit raw inputs to external servers. While Samsung claims 30-day deletion, the data traverses Samsung's AWS infrastructure, Google's servers, and potentially third-party LLM providers. Users must manually disable cloud processing via Advanced Intelligence settings — this is not the default. Phone calls processed through Live Translate are being sent to cloud servers by default.
What they claim: The Galaxy S24 is sold as a personal consumer device that the buyer owns and controls.
What we found: Knox security platform includes device attestation via ARM TrustZone — daily attestation checks verify device security posture. Knox Enrollment Service can remotely lock or wipe a device at Samsung's discretion. Samsung Members app has INSTALL_PACKAGES and DELETE_PACKAGES permissions, allowing Samsung to silently install or remove software. MDM_CONTENT_PROVIDER permission gives access to Mobile Device Management controls typically reserved for enterprise IT departments. WRITE_APN_SETTINGS allows modification of cellular network configuration. LAUNCH_SOFTWARE_UPDATE can trigger system updates. Combined, Samsung maintains enterprise-level administrative control over a consumer device.