Tech.co logo

Manufacturers Selling Unsecured Android Phones

August 14, 2018

12:48 pm

Android users are being warned about a major vulnerability affecting new Android phones and tablets that could lead to unsecured handsets. The risk was first raised last week at the annual DEF CON security conference in Las Vegas, with poor manufacturer practice identified as one of the main reasons for the problem.

Research presented by security firm Kryptowire singled out a host of manufacturers. It drew attention to their specific Android phone models as having security issues, some of which are so severe as to leave unsecured back doors wide open into devices.

Phone and tablet brands including ZTE,  Vivo, Sony, Nokia and LG were all named, with a wide range of issues that could be a concern for customers and carriers.

Read on to see if your Android phone is one of the affected devices.

Some good news? None of our Best Phones of the Year were affected by this security flaw

Android Security Flaws Explained

Kryptowire discovered that on the Android phones it tested, 11 of them are available through US carriers. The report found that elements that rendered the handsets unsecured or vulnerable to attack, and although all the models had issues, the avenues for attack were myriad.

One flaw gave visibility to third parties of the contact list on a user's phone.

While there were multiple flaws found in the Android software, some were more startling than others. One gave visibility to third parties of the contact list on a user's phone. An invasion of privacy, certainly, but small fry compared to the one that allowed the phone to secretly record the user and write the audio to the SD card.

Similarly, another could be used to screenshot the user's phone without their knowledge. There was also a way to read all the user's texts, and even to send messages from the phone.

How Did This Happen?

The issue, it seems, is down to Android's main strength as an operating system – it's an open platform.

While this means that manufacturers can tailor the OS to the handset and introduce their own third party apps, it also leaves a somewhat large margin of error should they overlook important security issues. The findings don't suggest that these bugs are malicious or even intentional, but simply an unwanted byproduct of the system being easy to customize.

It could be that a bug was missed – a victim of the tight turnaround times expected from developers and the crush to get the latest apps on the latest handsets. Bug-testing is time-consuming and can be expensive, so it's perhaps no surprise that issues that can turn out to be major security risks can be missed.

It's important to note that the problems are isolated purely to the third-party apps, not the Android operating system. However, if you think that fixing the problem is as simple as just deleting the third party apps, think again. Quite often, these are deliberately designed so they can't be removed by the user.

Fixing the Android Security Problems

The good news is that some manufacturers have already taken steps to resolve these issues, with companies such as Asus, LG and ZTE issuing statements. Asus told the press, “Asus is aware of the recent ZenFone security concerns and is working to swiftly and diligently resolve them with software updates.” As the Asus Zenfone V was one of the worst affected handsets, that allowed potential recording of the screens contents and reading text messages, that fix can't come soon enough.

LG stated ‘LG was made aware of the vulnerabilities and has introduced security updates to address these issues. In fact, most of the reported vulnerabilities have already been patched or have been included in upcoming scheduled maintenance updates not related to security risks'.

While it's positive that manufacturers are taking the findings of the Kryptowire team seriously, it's important to note that the fixes are being issued through updates, so the user still has to accept and download the latest patch before they are protected. If you own of the phones affected, be sure to update it as the earliest opportunity.

Which Android Phones are Affected?

Courtesy of Kryptowire, below is a full list of the handsets that are potentially vulnerable, plus an explanation of the flaws each could suffer from.

Be aware that most vulnerabilities in this list can be activated by an unscrupulous app, so stick with the Google Play store to ensure you're getting legitimate downloads.

ManufacturerModelOS versionPotential issue
ZTEZMAX Pro6.0.1Send text messages
ZTEZMAX Pro6.0.1Obtain all the text messages of the user and also insert, modify, and delete text messages
ZTEZMAX Champ6.0.1A pre-installed app allows any app on the device to cause the device to get stuck in an unfixable recovery bootloop.
ZTEZMAX Champ6.0.1A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
ZTEZMAX Pro6.0.1Obtain the numbers of contacts and numbers of people that the user has texted
ZTEBlade Spark7.1.1Obtain the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification.
ZTEBlade Vantage7.1.1A pre-installed app allows any app on the device to make the system write the modem log to the sdcard. This contains the send and received text messages and the call data.
VivoV77.1.2Record the screen and write it to app's private directory. A notification and floating icon pop up initiatlly, but these can be quickly removed.
VivoV77.1.2Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification.
VivoV77.1.2Provides the capability to set system properties as the com.android.phone user. With this and vulnerability above, you can caputre the input of the user (where they touch the screen) and the bluetooth snoop log.
SonyXperia L17Take screenshot of the screen which can be used to examine the user's notifications.
SKYElite 6.0L+6Command execution as the system user via old version of Adups software
PlumCompass6A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
OrbicWonder7.1Pairing with the vulnerability above, the user can get the body of text messages and call data since the default messaging apps is in debug mode, so the telephony data is written to the log. The log is written to the sdcard so any app can use the vulnerability above to get this data.
OrbicWonder7.1.2A pre-installed app allows the user to obtain the logcat log that get written to the sdcard continuosly. The logcat log is not available to third-party apps since it contains sensitive user data. The user can start the app with so it will not show up in the recent apps list and then dismiss it by going to the home screen so it will not be accessible to the user. It will continuosly write the log file to the sdcard.
OrbicWonder7.1.2A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
OppoF57.1.1Surreptitiously audio record the user and write it to the sdcard. This does require the command execution as system user to copy the recording file.
OppoF57.1.1Command execution as the system user
Nokia6 TA-10257.1.1Take screenshot of the screen which can be used to examine the user's notifications.
MXQTV Box4.4.2A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
MXQTV Box4.4.2Make the device non-functional. The device will not boot properly even after a factory reset. The device can likely be recovered by placing clean firmware images on the sdcard and flashing them.
LGG67Can lock a user out of their own phone (even in safe mode) and the user will be forced to factory reset in recovery mode. The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it hich may be difficult for the average user. This acts as a Denial of Service attack and results in data loss if a factory reset occurs.
LGG67Obtain the logcat logs continuosly which are not available to third party apps since they leak senstive user data. The log file can be written to the app's private directory by using path traversal.
LGG67Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. It also creates a file on the sdcard containing the phone IMEI and serial number.
LeagooZ5C6Read the last text message from each conversation. The last message will containt the phone number, text body, timestamp, and the contact's name (if any)
LeagooP17Take screenshot of the screen which can be used to examine the user's notifications.
LeagooP17Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges.
LeagooP17A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
LeagooZ5C6Send text messages
LeagooZ5C6A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
EssentialEssential7.1.1A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
DoogeeX56Video record of the screen. This capability can be used in a similar way as taking screenshots by opening apps that show the user's messages. The recording is not transparent to the user.
CoolpadRevvl Plus7.1.1Obtain all the text messages of the user and also insert, modify, and delete text messages
CoolpadCanvas7Provides the capability to set system properties as the com.android.phone user.
CoolpadDefiant7.1.1Send text messages
CoolpadRevvl Plus7.1.1Provides the capability to set system properties as the com.android.phone user.
CoolpadRevvl Plus7.1.1A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
CoolpadRevvl Plus7.1.1Send text messages
CoolpadCanvas7Obtain the logcat logs, kernel logs, and tcpdump capture which are written to the sdcard. This leaves a notification active. The logs contain the body of sent and received text messages.
CoolpadDefiant7.1.1A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
CoolpadDefiant7.1.1Obtain all the text messages of the user and also insert, modify, and delete text messages
AsusZenFone 3 Max7A pre-installed app with an exposed interface allows any app on the phone to obtain a bugreport (kernel log, logcat log, dump of system services (includes text of active notifications), WiFi Passwords, and other system data gets written to the sdcard. The numbers for received and placed telephone calls show up in the log, as well as the sending and receving telephone numbers for text messages.
AsusZenFone 3 Max7Arbitrary app installation over the internet. Then this app can also be uninstalled after it is run using the same interface.
AsusZenFone 3 Max7Take screenshot of the screen which can be used to examine the user's notifications.
AsusZenFone 3 Max & ZenFone V Live7Command execution as the system user
AlcatelA307Take screenshot of the screen which can be used to examine the user's notifications.
AlcatelA307Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. This was an Amazon Prime exclusive device.

Original table and more information can be found at https://www.kryptowire.com/portal/android-firmware-defcon-2018/

Did you like this article?

Get more delivered to your inbox just like it!

Sorry about that. Try these articles instead!

Jack is the Content Manager for Tech.co. He has been writing about a broad variety of technology subjects for over a decade, both in print and online, including laptops and tablets, gaming, and tech scams. As well as years of experience reviewing the latest tech devices, Jack has also conducted investigative research into a number of tech-related issues, including privacy and fraud.