Android powered devices are susceptible to major vulnerabilities out-of-the-box: Report

By Shubham Sharma | Updated May 18 2019
Android powered devices are susceptible to major vulnerabilities out-of-the-box: Report
HIGHLIGHTS

As per a security research firm, many Android-powered smartphones come pre-loaded with apps that could give an attacker total control over the device if the user is not careful.

Go from OpenAPI-to-GraphQL in 2 minutes

Create GraphQL interfaces in minutes and build mobile or client apps quicker. Leverage free, open source IBM Code Patterns.

Click here to know more

Android’s open nature is a boon for OEMs and developers alike. While this means that smartphone manufacturers can create their own versions on top of it, which they usually do, someone modifying the code can also cause harm by knowingly or unknowingly introducing vulnerabilities in the ecosystem. As per a report by the security firm Kryptowire, via Wired, many Android-powered smartphones are vulnerable to remote highjacking and many other worrying hacks even before one purchases them. The security firm analysed ten Android smartphones that support US network carriers and found that the firmware and pre-installed software, which we call bloatware, expose the end-user to some serious vulnerabilities, given that a user downloads a malicious app. 

Overview of the Kryptowire report states, “Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide... The vulnerabilities we discovered on devices offered by the major US carriers are the following: arbitrary command execution as the system user, obtaining the modem logs and logcat logs, wiping all user data from a device (i.e., factory reset), reading and modifying a user’s text messages, sending arbitrary text messages, getting the phone numbers of the user’s contacts, and more. All of the aforementioned capabilities are obtained outside of the normal Android permission model.” 

Wired says that the Kryptowire study was funded by the US Department of Homeland Security (DHS) and was to be presented at the recently concluded Black Hat 2018 security conference. Devices from manufacturers like LG, Asus, ZTE and others are discussed at the event and DHS had previously suggested that the China-based company ZTE poses a security threat, but the agency didn’t provide any critical info to back the statement. As per Kryptowire, a remote attacker can gain total control of the ZTE ZMax smartphone, if a malicious app is downloaded. 

One should note that even though the aforementioned vulnerabilities come pre-baked in an Android device, they can only be exploited when a user has any third-party malicious app installed. As apps on Google Play Store go through a stringent review and test process, chances are slim of downloading a malware if one sticks to app downloads from the official source. However, downloading apps from other sources and unknown websites could lead an attacker to gain complete control over a device.

Videos

NotPetya Malware Everything You Need to Know  Digitin
logo
Shubham Sharma

Working on a miniaturised version of the Arc Reactor.

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.

We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.