The ongoing DefCon 2018 has so far been revealing many interesting things. Researchers have kept many of their important discoveries hidden for a long time so as to disclose them in this great event. A couple of days ago, we heard of the fun-filled experiment of frying an egg on a cryptojacked router that demonstrated the devastating effects of cryptomining malware on devices. Now, a report by Kryptowire explained most pre-installed apps in Android devices carry severe security vulnerabilities.
Numerous Vulnerabilities Found In Pre-Installed Apps In Android Devices
According to the report by Kryptowire, most of the pre-installed apps in Android devices come with severe security flaws. Consequently making many Android devices vulnerable right out of the box. Researchers from this cybersecurity firm discovered 38 security vulnerabilities on apps installed in 25 different phones. Out of these 25 phones, 10 are sold by major US carriers. Kryptowire gave an overview in their report:
“Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide.”
the 38 vulnerabilities of a different nature could induce spying and factory resets.
“The vulnerabilities we discovered on devices offered by the major US carriers are the following: arbitrary command execution as the system user, obtaining the modem logs and logcat logs, wiping all user data from a device (i.e., factory reset), reading and modifying a user’s text messages, sending arbitrary text messages, getting the phone numbers of the user’s contacts, and more.”
The devices tested by the researchers include ZTE, LG, Asus and Essential Phone. Almost all of them are distributed by major carriers like AT&T and Verizon.
Vulnerabilities Appear In Pre-Installed Apps Due To Open Android OS
Android phones usually come preloaded with a lot of apps – most of which are not really needed. Ironically, these apps belong to third party firms that simply exploit the open Android OS to create customized apps. Hence, many flaws and glitches eventually arise in these apps. Angelos Stavrou, CEO Kryptowire, said,
“The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error. They are exposing the end user to exploits that the end user is not able to respond to.”
He further emphasized on these findings by highlighting that most users believe they would suffer only through the apps they download later. Whereas, according to what they discovered, most pre-installed apps already make the user vulnerable.
Then again, a Google spokesperson clarified in a statement that the vulnerabilities belonged to the third party applications, and not to the actual firmware.
“We would like to thank the security researchers at Kryptowire for their efforts to reinforce the security of the Android ecosystem. The issues they have outlined do not affect the Android operating system itself, but rather, third party code and applications on devices.”
Yet again, the problem remains there as the end users have no options available to protect themselves from such vulnerabilities. Many of the pre-installed Android apps do not even uninstall. Hence, the users remain reliant on the updates and patches released by the manufacturers or the carriers.