Your new Android phone may have software vulnerabilities out of the box
The Android OS is still plagued with firmware bugs that put users at risk according to the latest analysis by mobile security firm Kryptowire on 10 devices sold across the major U.S telcos.
Kryptowire CEO Angelos Stavrou reveals that vulnerabilities have been baked into millions of Android devices ahead of time, deep in the source code and waiting for hackers to exploit.
These vulnerabilities allow hackers to lock users out of their devices, obtain access to the microphone, call data, text messages and other personal information. This is due to the open Android OS which allows OEMs and telcos to modify the codes to their liking.
“The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error,” Stavrou says. “They’re exposing the end user to exploits that the end user is not able to respond to.”
Devices from ASUS, Essential, LG and ZTE have been found with several firmware vulnerabilities, and these companies have promised to issue security patches. However, Stavrou thinks that the patching process is not foolproof; the end user has to accept the update for it to be installed. His concerns support an earlier report by Security Research Labs that several Android OEMs have been found to be lying about security updates.
“One thing that is clear is that there is nobody defending the consumer,” Stavrou says. “It’s so deep in the system that the consumer might not be able to tell that it’s there. Or even if they did, they have no recourse other than waiting for the manufacturer, or the carrier, or whoever is updating the firmware to do so.”
In response to Kryptowire’s findings, Google states that the issues highlighted do not affect the Android OS itself, but rather, third-party code and applications on devices. As long as there are third-party apps and customised skins for Android devices, these firmware vulnerabilities will not disappear anytime soon.
There is a glimmer of hope though; starting from June 2018, Google has modified the OEM agreements to include provisions for regular security updates. The world’s second biggest phone maker also committed to rolling out bi-monthly firmware updates for its phones.