If you think brand new Android smartphones are immune from security vulnerabilities, think again – a new analysis by security company Kryptowire uncovered 146 CVE-level flaws in devices from 29 smartphone makers.
Without studying all 146 in detail, it’s not clear from the company’s list how many were critical flaws, but most users would agree that 146 during 2019 alone sounds like a lot.
The sort of things these might allow include the modification of system properties (28.1%), app installation (23.3%), command execution (20.5%), and wireless settings (17.8%).
Remember, these devices, which included Android smartphones made by Samsung and Xiaomi, had never even been turned on, let alone downloaded a dodgy app – these are the security problems shipped with your new phone, not ones that compromise the device during its use.
The culprit is a range of software specific to each manufacturer, installed in addition to Android itself or its Google applications.
But in common with Android and Google applications, these can’t be de-installed. The only way to patch one of these flaws is for the smartphone maker to be told about the issue and to issue a fix.
We’ve been here before, of course. In August 2019, Google Project Zero researcher Maddie Stone gave a presentation at Black Hat to highlight the issue of malware she and her colleagues had discovered being installed on Android devices in the supply chain.
While this related to software deliberately installed to do bad things rather than vulnerable software, the effect from the user’s point of view is that they are exposed without realising it.
In one example, the Chamois SMS and click fraud botnet managed to infect 21 million devices. Even after a concerted clean up, two years later it was still clinging to the devices of nearly 7.4 million victims.
Less is still more
What then is the fundamental problem at work here? Clearly, these devices that are part of complex hardware and software supply chains so perhaps vulnerable or compromised Android devices just goes with that territory.
Not according to Kryptowire, whose CEO Angelos Stavrou made an important point in an interview with Wired:
We believe that if you are a vendor you should not trust anybody else to have the same level of permissions as you within the system. This should not be an automatic thing.
Arguably, it follows that perhaps vendors shouldn’t install so much hardwired software on Android devices that users can’t de-install. The suspicion is that some of it is only there for commercial reasons, a mildly scandalous motivation for risking the security of a device.
Our advice is to consider buying from a vendor that sells stock, or near-stock, Android (i.e. with a minimum of additional software).
The majority of the manufacturers found by Kryptowire to have vulnerable devices are brand names nobody outside of Asia is likely to encounter. On the other hand, a disproportionate number of the flaws were found in popular brands.
Undoubtedly, it would help if Android device makers spent more time examining their products for the sort of vulnerabilities security companies seem able to uncover quite easily once they ship. Will that happen? Over to you, Google.