A new analysis discloses what many Android users have known for ages, devices aren't secure. The firm found that smartphones purchased from wireless carriers already had vulnerabilities right out of the box.
Kryptowire, the mobile security firm behind the discovery, found that issues were already present in ten devices that are sold through carriers in the United States. While the severity of the vulnerabilities varies, the problem is a result of the modifications that manufacturers or carriers apply to Android. Not only does this leave products open to exploits, but it also makes for slower releases of security updates.
According to Kryptowire CEO Angelos Stavrou,
“The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error. They’re exposing the end user to exploits that the end user is not able to respond to.”
The security firm presented its findings this week at the Black Hat conference, focusing on companies like Asus, Essential, LG, and ZTE. As an example, the Asus ZenFone V Live leaves its users completely exposed, allowing a malicious person to commence with "an entire system takeover, including taking screenshots and video recordings of a user’s screen, making phone calls, reading and modifying text messages, and more". Numerous companies and carriers have been informed of the vulnerabilities.
While these kinds of problems can be fixed through an over-the-air (OTA) update, Stavrou thinks there is a problem with this process, stating that “the user has to accept the patch. So even if they send it to the phone, you might not accept the update”. Now this news can sound scary, but a majority of the exploits found by Kryptowire require a user to install an app on a vulnerable device. But Stavrou does emphasize that if a malicious app were to be installed, it wouldn't require any additional actions to gain access to these vulnerabilities.
Again, for Android users, this is nothing new, a problem that has been going on for years. Stavrou, however, does have a good point:
“One thing that is clear is that there is nobody defending the consumer. It’s so deep in the system that the consumer might not be able to tell that it’s there. Or even if they did, they have no recourse other than waiting for the manufacturer, or the carrier, or whoever is updating the firmware to do so.”
But, there is a new wave of Android coming and hopefully, the implementation of Project Treble will improve things. The feature will aim to better streamline the process of updates, potentially increasing the security and also the frequency of major OS updates.