Android powered devices are susceptible to major vulnerabilities out-of-the-box: Report
As per a security research firm, many Android-powered smartphones come pre-loaded with apps that could give an attacker total control over the device if the user is not careful.
Android’s open nature is a boon for OEMs and developers alike. While this means that smartphone manufacturers can create their own versions on top of it, which they usually do, someone modifying the code can also cause harm by knowingly or unknowingly introducing vulnerabilities in the ecosystem. As per a report by the security firm Kryptowire, via Wired, many Android-powered smartphones are vulnerable to remote highjacking and many other worrying hacks even before one purchases them. The security firm analysed ten Android smartphones that support US network carriers and found that the firmware and pre-installed software, which we call bloatware, expose the end-user to some serious vulnerabilities, given that a user downloads a malicious app.
Overview of the Kryptowire report states, “Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide… The vulnerabilities we discovered on devices offered by the major US carriers are the following: arbitrary command execution as the system user, obtaining the modem logs and logcat logs, wiping all user data from a device (i.e., factory reset), reading and modifying a user’s text messages, sending arbitrary text messages, getting the phone numbers of the user’s contacts, and more. All of the aforementioned capabilities are obtained outside of the normal Android permission model.”
Wired says that the Kryptowire study was funded by the US Department of Homeland Security (DHS) and was to be presented at the recently concluded Black Hat 2018 security conference. Devices from manufacturers like LG, Asus, ZTE and others are discussed at the event and DHS had previously suggested that the China-based company ZTE poses a security threat, but the agency didn’t provide any critical info to back the statement. As per Kryptowire, a remote attacker can gain total control of the ZTE ZMax smartphone, if a malicious app is downloaded.
One should note that even though the aforementioned vulnerabilities come pre-baked in an Android device, they can only be exploited when a user has any third-party malicious app installed. As apps on Google Play Store go through a stringent review and test process, chances are slim of downloading a malware if one sticks to app downloads from the official source. However, downloading apps from other sources and unknown websites could lead an attacker to gain complete control over a device.