If you think brand new Android smartphones are immune from security vulnerabilities, think again – a new analysis by security company Kryptowire uncovered 146 CVE-level flaws in devices from 29 smartphone makers.
Without studying all 146 in detail, it’s not clear from the company’s list how many were critical flaws, but most users would agree that 146 during 2019 alone sounds like a lot.
The sort of things these might allow include the modification of system properties (28.1%), app installation (23.3%), command execution (20.5%), and wireless settings (17.8%).
Remember, these devices, which included Android smartphones made by Samsung and Xiaomi, had never even been turned on, let alone downloaded a dodgy app – these are the security problems shipped with your new phone, not ones that compromise the device during its use.
The culprit is a range of software specific to each manufacturer, installed in addition to Android itself or its Google applications.
But in common with Android and Google applications, these can’t be de-installed. The only way to patch one of these flaws is for the smartphone maker to be told about the issue and to issue a fix.
Factory soiled
We’ve been here before, of course. In August 2019, Google Project Zero researcher Maddie Stone gave a presentation at Black Hat to highlight the issue of malware she and her colleagues had discovered being installed on Android devices in the supply chain.
While this related to software deliberately installed to do bad things rather than vulnerable software, the effect from the user’s point of view is that they are exposed without realising it.
In one example, the Chamois SMS and click fraud botnet managed to infect 21 million devices. Even after a concerted clean up, two years later it was still clinging to the devices of nearly 7.4 million victims.
Less is still more
What then is the fundamental problem at work here? Clearly, these devices that are part of complex hardware and software supply chains so perhaps vulnerable or compromised Android devices just goes with that territory.
Not according to Kryptowire, whose CEO Angelos Stavrou made an important point in an interview with Wired:
We believe that if you are a vendor you should not trust anybody else to have the same level of permissions as you within the system. This should not be an automatic thing.
Arguably, it follows that perhaps vendors shouldn’t install so much hardwired software on Android devices that users can’t de-install. The suspicion is that some of it is only there for commercial reasons, a mildly scandalous motivation for risking the security of a device.
Our advice is to consider buying from a vendor that sells stock, or near-stock, Android (i.e. with a minimum of additional software).
The majority of the manufacturers found by Kryptowire to have vulnerable devices are brand names nobody outside of Asia is likely to encounter. On the other hand, a disproportionate number of the flaws were found in popular brands.
Undoubtedly, it would help if Android device makers spent more time examining their products for the sort of vulnerabilities security companies seem able to uncover quite easily once they ship. Will that happen? Over to you, Google.
dhunter
Scandalous!
With the majority of manufacturers only offering OS support updates for a very limited time (much shorter than your average cellphone is in use by the customer) almost everyone is guaranteed to have a device in use that contains vulnerabilities that will never be corrected. By design, it is much too difficult (or impossible) for most users to replace the OS on their device with an open source generic version. Consumers are being sold a pig when they really want a cow – and most consumers appear to be quite happy with this because there is no hue & cry for change.
Laurence Marks
Back Hat? Not sure I’ve heard of that one. Is it a vulnerability conference?
Anna Brading
Oops! should be fixed now.
Anonymous
its one of the largest Hacker conferences held annually in Las Vegas
Laurence Marks
No, that’s BLACK Hat. Back Hat is something else, right?
Snoke
black hat is small compared to DefCon
John E Dunn
That’s an edition of Black Hat revisited using a time machine…
Laurence Marks
“The culprit is a range of software specific to each manufacturer, installed in addition to Android itself or its Google applications.”
The problem here is that the apps are picked by Marketing, not Engineering. This is the same thing that happened with Lenovo laptops/desktops that shipped with the MITM software.
“Our advice is to consider buying from a vendor that sells stock, or near-stock, Android (i.e. with a minimum of additional software).”
Like my Essential PH-1? If anybody could see this problem, it would be Andy Rubin. And it justifies my comment about Marketing versus Engineering.
Mahhn
Nobody would buy a house that came with vagrants, why would you buy a phone with them?
Some boycotting and flooding support lines will convince them that it’s cheaper to not force crap on phones than pay for the support and bad PR. Unless people are passive sheep that just eat what they are fed… People here not so sheepish, non-technical people understandably don’t realize the crap they were sold into, which is likely over 80% of owners.
Dean
This is one reason you should allow the device to perform an update of all it’s apps’ as soon as you sign in. The Google Suite is always out of date by the time a device is released.
dvrmmr
This is a bit misleading, isn’t it? For example, if you bought a Samsung S7 edge with a particular software release preloaded on it, it came with three identified CVEs which could only be exploited by system apps – no single Android device appears to have had more than 3-4 vulnerabilities identified.
Given that there have been 156 iOS vulnerabilities published via CVEs in 2019, 3-4 vulnerabilities per Android device doesn’t seem out of whack.