Last week, at the DEF CON security conference held in Las Vegas, security researchers presented details about 47 vulnerabilities in the firmware and default apps of 25 Android smartphone models, 11 of which are also sold in the US.
These vulnerabilities, embedded in full in the table at the bottom of this article, range from simple flaws that crash devices to dangerous bugs that grant attackers the ability to get root access on users' devices.
Some of the most dangerous of these vulnerabilities allow an attacker to retrieve or send SMS texts from the user's phone, take screenshots or record videos of the phone's screen, retrieve the user's contacts list, force the installation of third-party arbitrary apps without the user's knowledge or consent, or even wipe the user's data from the device.
Some big OEM brands listedThese vulnerabilities were discovered in both the default apps that come preinstalled on some devices by default (and are sometimes unremovable), but also in the firmware of core device drivers that can't be removed without losing some of the phone's functionality, if not access to the device as a whole.
US mobile and IoT security firm Kryptowire unearthed these vulnerabilities as part of a grant awarded by the Department of Homeland Security (DHS).
The smartphone brands (OEMs) included on Kryptowire's list include big names such as
ZTE,
Sony,
Nokia,
LG,
Asus, and
Alcatel, but also smaller companies such as Vivo,
SKY,
Plum,
Orbic,
Oppo,
MXQ,
Leagoo,
Essential,
Doogee, and
Coolpad.
"With the hundreds of mobile phone makes and models on the market and thousands of versions of firmware, best-effort manual testing and evaluations simply cannot scale to address the problem of identifying vulnerabilities in mobile phone pre-installed apps and firmware," said Angelos Stavrou, CEO of Kryptowire, in a press release also announcing the release of a new enterprise-targeted platform for automatically testing the firmware and apps of Android mobile devices.
Some old names on the listSome of the OEM brands are old acquaintances. For example, ZTE. Leagoo and Doogee have been listed in
previous reports about insecure Android device makers. Devices from these two vendors were found on two different occasions to come preinstalled with banking trojans.
Back in November 2016, Kryptowire also
discovered a backdoor mechanism in the FOTA (Firmware Over The Air) update software system produced by Chinese firm Adups. That FOTA system was included in the firmware of many Android phone makers, and a year later was
[color]found to be still active, despite public disclosure.
Below are the vulnerabilities discovered by the Kryptowire team, and presented last week at DEF CON.
source
