The Android platform has a reputation for being less than secure, and, despite the system’s advantages and improvements, the situation isn’t getting any better at the rate it should be. New research from security firm Kryptowire has found that a number of Android devices include vulnerabilities right out of the box, including those shipped directly from wireless carriers. Unfortunately the cause of the problem stems from one of Android’s biggest and oldest strong points: its open nature and ability to be modified.
Kryptowire found ten different phones sold by carriers across the US that had security bugs and firmware vulnerabilities out of the box, including devices from Asus, Essential, LG, and ZTE. The vulnerabilities vary in severity but include security flaws that allow for attacks such as getting locked out of the device to remote control of the camera or microphone.
Unfortunately, these aren’t the kind of vulnerabilities that are easily patched with security updates. Kryptowire explains that the root of the problem is in Android’s ability to be tweaked and customized for different purposes, both by manufacturers and carriers. This results in security lapses that are not only difficult to identify, but also unique to small portions of the Android ecosystem. Kryptowire’s CEO Angelos Stavrou explains:
“The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error. They’re exposing the end user to exploits that the end user is not able to respond to.”
Most of the attacks that take advantage of these firmware vulnerabilities require an app with malicious code to be installed by users before they can work. One of the worst examples, however, was found in Asus’ Zenfone V Live smartphone, which had enough security holes to allow “an entire system takeover, including taking screenshots and video recordings of a user’s screen, making phone calls, reading and modifying text messages, and more.”
Kryptowire has notified a number of manufacturers and carriers of the vulnerabilities it discovered, with Asus stating that it was aware of the issues and it’s “working diligently and swiftly to resolve them” with an upcoming patch; Essential, LG, and ZTE said that some or all of their flaws had been fixed after they were notified by the security firm.
Once again the problem still persists, as the Android ecosystem is dependent on different carriers releasing the updates for different devices on their own schedule, leaving many users either waiting or unaware entirely.