Manufacturers Selling Unsecured Android Phones

August 14, 2018

12:48 pm

Android users are being warned about a major vulnerability affecting new Android phones and tablets that could lead to unsecured handsets. The risk was first raised last week at the annual DEF CON security conference in Las Vegas, with poor manufacturer practice identified as one of the main reasons for the problem.

Research presented by security firm Kryptowire singled out a host of manufacturers. It drew attention to their specific Android phone models as having security issues, some of which are so severe as to leave unsecured back doors wide open into devices.

Phone and tablet brands including ZTE,  Vivo, Sony, Nokia and LG were all named, with a wide range of issues that could be a concern for customers and carriers.

Read on to see if your Android phone is one of the affected devices.

Some good news? None of our Best Phones of the Year were affected by this security flaw

Android Security Flaws Explained

Kryptowire discovered that on the Android phones it tested, 11 of them are available through US carriers. The report found that elements that rendered the handsets unsecured or vulnerable to attack, and although all the models had issues, the avenues for attack were myriad.

One flaw gave visibility to third parties of the contact list on a user’s phone.

While there were multiple flaws found in the Android software, some were more startling than others. One gave visibility to third parties of the contact list on a user’s phone. An invasion of privacy, certainly, but small fry compared to the one that allowed the phone to secretly record the user and write the audio to the SD card.

Similarly, another could be used to screenshot the user’s phone without their knowledge. There was also a way to read all the user’s texts, and even to send messages from the phone.

How Did This Happen?

The issue, it seems, is down to Android’s main strength as an operating system – it’s an open platform.

While this means that manufacturers can tailor the OS to the handset and introduce their own third party apps, it also leaves a somewhat large margin of error should they overlook important security issues. The findings don’t suggest that these bugs are malicious or even intentional, but simply an unwanted byproduct of the system being easy to customize.

It could be that a bug was missed – a victim of the tight turnaround times expected from developers and the crush to get the latest apps on the latest handsets. Bug-testing is time-consuming and can be expensive, so it’s perhaps no surprise that issues that can turn out to be major security risks can be missed.

It’s important to note that the problems are isolated purely to the third-party apps, not the Android operating system. However, if you think that fixing the problem is as simple as just deleting the third party apps, think again. Quite often, these are deliberately designed so they can’t be removed by the user.

Fixing the Android Security Problems

The good news is that some manufacturers have already taken steps to resolve these issues, with companies such as Asus, LG and ZTE issuing statements. Asus told the press, “Asus is aware of the recent ZenFone security concerns and is working to swiftly and diligently resolve them with software updates.” As the Asus Zenfone V was one of the worst affected handsets, that allowed potential recording of the screens contents and reading text messages, that fix can’t come soon enough.

LG stated ‘LG was made aware of the vulnerabilities and has introduced security updates to address these issues. In fact, most of the reported vulnerabilities have already been patched or have been included in upcoming scheduled maintenance updates not related to security risks’.

While it’s positive that manufacturers are taking the findings of the Kryptowire team seriously, it’s important to note that the fixes are being issued through updates, so the user still has to accept and download the latest patch before they are protected. If you own of the phones affected, be sure to update it as the earliest opportunity.

Which Android Phones are Affected?

Courtesy of Kryptowire, below is a full list of the handsets that are potentially vulnerable, plus an explanation of the flaws each could suffer from.

Be aware that most vulnerabilities in this list can be activated by an unscrupulous app, so stick with the Google Play store to ensure you’re getting legitimate downloads.

Manufacturer Model OS version Potential issue
ZTE ZMAX Pro 6.0.1 Send text messages
ZTE ZMAX Pro 6.0.1 Obtain all the text messages of the user and also insert, modify, and delete text messages
ZTE ZMAX Champ 6.0.1 A pre-installed app allows any app on the device to cause the device to get stuck in an unfixable recovery bootloop.
ZTE ZMAX Champ 6.0.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
ZTE ZMAX Pro 6.0.1 Obtain the numbers of contacts and numbers of people that the user has texted
ZTE Blade Spark 7.1.1 Obtain the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification.
ZTE Blade Vantage 7.1.1 A pre-installed app allows any app on the device to make the system write the modem log to the sdcard. This contains the send and received text messages and the call data.
Vivo V7 7.1.2 Record the screen and write it to app’s private directory. A notification and floating icon pop up initiatlly, but these can be quickly removed.
Vivo V7 7.1.2 Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification.
Vivo V7 7.1.2 Provides the capability to set system properties as the com.android.phone user. With this and vulnerability above, you can caputre the input of the user (where they touch the screen) and the bluetooth snoop log.
Sony Xperia L1 7 Take screenshot of the screen which can be used to examine the user’s notifications.
SKY Elite 6.0L+ 6 Command execution as the system user via old version of Adups software
Plum Compass 6 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Orbic Wonder 7.1 Pairing with the vulnerability above, the user can get the body of text messages and call data since the default messaging apps is in debug mode, so the telephony data is written to the log. The log is written to the sdcard so any app can use the vulnerability above to get this data.
Orbic Wonder 7.1.2 A pre-installed app allows the user to obtain the logcat log that get written to the sdcard continuosly. The logcat log is not available to third-party apps since it contains sensitive user data. The user can start the app with so it will not show up in the recent apps list and then dismiss it by going to the home screen so it will not be accessible to the user. It will continuosly write the log file to the sdcard.
Orbic Wonder 7.1.2 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Oppo F5 7.1.1 Surreptitiously audio record the user and write it to the sdcard. This does require the command execution as system user to copy the recording file.
Oppo F5 7.1.1 Command execution as the system user
Nokia 6 TA-1025 7.1.1 Take screenshot of the screen which can be used to examine the user’s notifications.
MXQ TV Box 4.4.2 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
MXQ TV Box 4.4.2 Make the device non-functional. The device will not boot properly even after a factory reset. The device can likely be recovered by placing clean firmware images on the sdcard and flashing them.
LG G6 7 Can lock a user out of their own phone (even in safe mode) and the user will be forced to factory reset in recovery mode. The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it hich may be difficult for the average user. This acts as a Denial of Service attack and results in data loss if a factory reset occurs.
LG G6 7 Obtain the logcat logs continuosly which are not available to third party apps since they leak senstive user data. The log file can be written to the app’s private directory by using path traversal.
LG G6 7 Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. It also creates a file on the sdcard containing the phone IMEI and serial number.
Leagoo Z5C 6 Read the last text message from each conversation. The last message will containt the phone number, text body, timestamp, and the contact’s name (if any)
Leagoo P1 7 Take screenshot of the screen which can be used to examine the user’s notifications.
Leagoo P1 7 Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges.
Leagoo P1 7 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Leagoo Z5C 6 Send text messages
Leagoo Z5C 6 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Essential Essential 7.1.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Doogee X5 6 Video record of the screen. This capability can be used in a similar way as taking screenshots by opening apps that show the user’s messages. The recording is not transparent to the user.
Coolpad Revvl Plus 7.1.1 Obtain all the text messages of the user and also insert, modify, and delete text messages
Coolpad Canvas 7 Provides the capability to set system properties as the com.android.phone user.
Coolpad Defiant 7.1.1 Send text messages
Coolpad Revvl Plus 7.1.1 Provides the capability to set system properties as the com.android.phone user.
Coolpad Revvl Plus 7.1.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Coolpad Revvl Plus 7.1.1 Send text messages
Coolpad Canvas 7 Obtain the logcat logs, kernel logs, and tcpdump capture which are written to the sdcard. This leaves a notification active. The logs contain the body of sent and received text messages.
Coolpad Defiant 7.1.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Coolpad Defiant 7.1.1 Obtain all the text messages of the user and also insert, modify, and delete text messages
Asus ZenFone 3 Max 7 A pre-installed app with an exposed interface allows any app on the phone to obtain a bugreport (kernel log, logcat log, dump of system services (includes text of active notifications), WiFi Passwords, and other system data gets written to the sdcard. The numbers for received and placed telephone calls show up in the log, as well as the sending and receving telephone numbers for text messages.
Asus ZenFone 3 Max 7 Arbitrary app installation over the internet. Then this app can also be uninstalled after it is run using the same interface.
Asus ZenFone 3 Max 7 Take screenshot of the screen which can be used to examine the user’s notifications.
Asus ZenFone 3 Max & ZenFone V Live 7 Command execution as the system user
Alcatel A30 7 Take screenshot of the screen which can be used to examine the user’s notifications.
Alcatel A30 7 Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. This was an Amazon Prime exclusive device.

Original table and more information can be found at https://www.kryptowire.com/portal/android-firmware-defcon-2018/

Did you like this article?

Get more delivered to your inbox just like it!

Sorry about that. Try these articles instead!

Jack is a senior writer at Tech.co with over a decade's experience researching and writing about consumer technology, from security and privacy to product reviews and tech news.

  • Shares

Leave a Reply

  • (will not be published)