25 Android smartphone models contain severe vulnerabilities off the shelf

Researchers say that the swathe of bugs impacts major vendors.
Written by Charlie Osborne, Contributing Writer

Mobile device malware may still be far behind when it comes to the prevalence of threats crafted for traditional PC systems, but threat actors are seeking ways to compromise these important devices we use on a daily basis.

Contact lists, online banking credentials, social media accounts, images, videos, and more can all be enticing targets -- and all of which can often be found on our mobile devices.

According to Kaspersky Lab, the volume of new mobile threats detected in the wild dropped by 11 percent in Q1 2018 in comparison to the previous quarter.

Out of those detected, unwanted RiskTool apps, Trojan droppers, and advertising apps were the most prevalent. The cybersecurity firm also recorded an uptick in mobile banking malware.

In order to compromise your mobile device, threat actors will often attempt to sneak malware-laden apps into Google Play, the official Android app store.

Sometimes these activities succeed, leading to the spread of malware through mobile apps which may be downloaded thousands of times.

To make matters worse, recent infections found in Google Play indicate that developers building apps in compromised environments can also become an attack vector.

Google, cybersecurity firms, OEMs, and Android developers are fighting to keep our devices safe, but little can be done if they are purchased with vulnerabilities already in tow -- which researchers from IoT and security firm Kryptowire say is happening now.

Speaking at DefCon in Las Vegas last week, Kryptowire researchers said that 25 Android smartphone models contain a slew of vulnerabilities which may expose the user to attack from the time of purchase.

After analyzing Android vendors and carriers from the low-end to flagship, more expensive handsets, the team discovered bugs ranging from minimal risk to critical problems in pre-installed apps and firmware.

As reported by sister site CNET, Kryptowire uncovered a total of 38 different vulnerabilities in pre-loaded applications and the firmware builds of 25 Android handsets, 11 of which are sold in the United States.

The researchers said their research was primarily based in the US but the impact of these bugs is worldwide.

"All of these are vulnerabilities that are prepositioned," Angelos Stavrou, Kryptowire CEO told attendees at the conference. "They come as you get the phone out the box. That's important because consumers think they're only exposed if they download something that's bad."

OEMs and smartphone vendors impacted include ZTE, Sony, Nokia, LG, Essential, and Asus, among others.

TechRepublic: 4 essential business features of the Samsung Galaxy Tab S4

Android builds and pre-installed apps vary based on smartphone models and OEMs. As a result, a security flaw may impact an Essential smartphone, for example, but not an LG model in a similar price bracket.

The security flaws include issues present in ZTE ZMAX Pro phones which allow text messages to be exfiltrated, edited, or sent without user permission; as well as two bugs in ZMAX Champ pre-installed apps which can be utilized to force an "unfixable" boot recovery loop or factory reset.

See also: Hackers can steal data from the enterprise using only a fax number

A vulnerability in the Sony Xperia L1 permits attackers to covertly take screenshots; a similar issue was found in the Nokia 6 TA-1025, and in the LG G6, a particularly nasty vulnerability can lock a user out of their own phone -- even in safe mode -- and the user will be forced to factory reset in recovery mode.

"The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it which may be difficult for the average user," the researchers added. "This acts as a Denial of Service attack and results in data loss if a factory reset occurs."

Other security flaws include another LG G6 problem which can be exploited to gain the kernel log, a pre-installed app in Essential phones which allows any app on the device to wipe all user data via a factory reset, and in the Asus ZenFone 3 Max, attackers can utilize a flawed pre-installed app to obtain system data or Wi-Fi passwords -- as well as execute arbitrary code through a wireless connection.

CNET: 2018 iPhones may continue $1,000 trend. Plus: A virus at Apple chip factory

Kryptowire has reported its findings to affected vendors and firms including LG, Essential, and Asus have either deployed OTA updates or are working on patches now to resolve the security flaws.

Google has emphasized that the vulnerabilities do not affect the Android operating system itself, but rather "third-party code and applications on devices," according to a company spokesperson.

"Together with Kryptowire, we have reached out to affected Android partners to address these issues," the spokesperson added.

North Korea's history of bold cyber attacks

Previous and related coverage

Editorial standards