Kryptowire, a security company that has developed an automated mobile vulnerability discovery and exploit generation engine and is a participant in the U.S. Department of Homeland Security (DHS) mobile security research and development program, has revealed a total of 146 new vulnerabilities impacting Android device users. That number alone is significant enough to make the average Android user shudder, but it gets worse: these vulnerabilities don’t require the user to download a malicious app, they are already on the smartphone itself when you purchase it. The research which focused on preinstalled software across a total of 29 Android smartphone vendors, including Asus, Samsung, Sony and Xiaomi, is of particular concern as, according to Kryptowire, the vulnerabilities are so hard to remove. Here’s what you need to know.
What did the Kryptowire vulnerability research entail?
On the basis that manual penetration testing is cumbersome and costly when applied within the mobile device ecosystem, Kryptowire developed an automated mobile vulnerability discovery and exploit generation engine. This tool not only enables Kryptowire researchers to scan Android device firmware without a need to have the physical device itself but also automatically creates a proof of concept exploit. That’s important in terms of vulnerability validation and makes false positives a lot less likely.
The Kryptowire researchers tasked themselves with quantifying the exposure of Android users to the problem of vulnerabilities within preinstalled apps and firmware on their devices. To do so, they analyzed devices ranging from entry-level to flagship from Android vendors great and small. “Our primary focus was exposing pre-positioned threats on Android devices sold by United States carriers,” the research report stated, “although our results affect devices worldwide.” These devices included the Asus ZenFone, Samsung A3, A5, A7, A8+, J3, J4, J5, J6, J7, S7, S7 Edge, Sony Xperia Touch, Xiaomi Redmi 5, Redmi 6 Pro and Mi Note 6 amongst many others from little known vendors. In all, millions of users could be impacted by the vulnerabilities that have been simultaneously disclosed.
What Android vulnerabilities were disclosed?
So what did Kryptowire discover when it scanned devices from a total of 29 smartphone vendors for unsafe states earlier this year? The report breaks these down by vulnerability type, with system properties modification being the most common and representing 28.1% of the vulnerabilities found, followed by app installation (23.3%), command execution (20.5%) and wireless settings modification (17.8%) audio recording (5.5%) and dynamic code loading (4.1%). According to a TechCrunch report, while some of these vulnerabilities are limited to the supply chain as they require another preinstalled app to trigger them, others are broader in scope as they can apparently be triggered by user-installed apps.
How serious are these Android vulnerabilities?
The Kryptowire CEO, Angelos Stavrou, told Wired: “If the problem lies within the device, that means the user has no options. Because the code is deeply buried in the system, in most cases, the user cannot do anything to remove the offending functionality.” This is particularly true of those vulnerabilities that reside in preinstalled, system-level functionality. That same Wired report quotes a Samsung spokesperson as saying: “Since being notified by Kryptowire, we have promptly investigated the apps in question and have determined that appropriate protections are already in place.” That statement applies to the four preinstalled apps that were developed by Samsung itself, the remaining two apps were developed by third-parties, and Samsung pointed the researchers in their direction. In total, some 33 vulnerabilities were found by Kryptowire across the Samsung devices.
Third-party applications are often preinstalled on Android smartphones, including those developing code for device functionality and carriers with an interest in messaging, for example. Stavrou told CNET, “Google can demand more thorough code analysis and vendor responsibility for their software products that enter the Android ecosystems.” Google, meanwhile, does employ its own firmware vulnerability scanning solution called the Build Test Suite (BTS) and this prevented 242 firmware builds with potentially harmful applications from entering the Android device ecosystem in 2018. As far as the Kryptowire research is concerned, Google issued the following statement: “We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these.”
What can Android users do about it?
“Ideally, people should only have apps on their devices that they have downloaded and installed themselves,” Jake Moore, a cybersecurity specialist at security vendor ESET, says, “in a perfect world, we would know exactly what each app on our phone does.” Of course, the problem with the vulnerabilities found by Kryptowire is that they were in preinstalled apps and device firmware. Nonetheless, Moore says that it’s “a good idea to delete any app that you don’t use, and that goes for those apps you may have once downloaded a long time ago that you don’t use anymore.” Beyond that, Android users are only left with the option of trusting that the device vendors will always protect them from potential harm. Everything from the recent hacking, twice, of the Samsung Galaxy S10 through to the vulnerabilities for 40 million Galaxy and Note users or the Qualcomm ‘TrustZone’ vulnerabilities, would suggest this is a less than ideal position to be in.
I have reached out to Asus, Sony and Xiaomi for a statement regarding the Kryptowire disclosures and will update this article as soon as possible with any responses.