Android users are being warned about a major vulnerability affecting new Android phones and tablets that could lead to unsecured handsets. The risk was first raised last week at the annual DEF CON security conference in Las Vegas, with poor manufacturer practice identified as one of the main reasons for the problem.
Research presented by security firm Kryptowire singled out a host of manufacturers. It drew attention to their specific Android phone models as having security issues, some of which are so severe as to leave unsecured back doors wide open into devices.
Phone and tablet brands including ZTE, Vivo, Sony, Nokia and LG were all named, with a wide range of issues that could be a concern for customers and carriers.
Read on to see if your Android phone is one of the affected devices.
Some good news? None of our Best Phones of the Year were affected by this security flaw
Android Security Flaws Explained
Kryptowire discovered that on the Android phones it tested, 11 of them are available through US carriers. The report found that elements that rendered the handsets unsecured or vulnerable to attack, and although all the models had issues, the avenues for attack were myriad.
One flaw gave visibility to third parties of the contact list on a user’s phone.
While there were multiple flaws found in the Android software, some were more startling than others. One gave visibility to third parties of the contact list on a user’s phone. An invasion of privacy, certainly, but small fry compared to the one that allowed the phone to secretly record the user and write the audio to the SD card.
Similarly, another could be used to screenshot the user’s phone without their knowledge. There was also a way to read all the user’s texts, and even to send messages from the phone.
How Did This Happen?
The issue, it seems, is down to Android’s main strength as an operating system – it’s an open platform.
While this means that manufacturers can tailor the OS to the handset and introduce their own third party apps, it also leaves a somewhat large margin of error should they overlook important security issues. The findings don’t suggest that these bugs are malicious or even intentional, but simply an unwanted byproduct of the system being easy to customize.
It could be that a bug was missed – a victim of the tight turnaround times expected from developers and the crush to get the latest apps on the latest handsets. Bug-testing is time-consuming and can be expensive, so it’s perhaps no surprise that issues that can turn out to be major security risks can be missed.
It’s important to note that the problems are isolated purely to the third-party apps, not the Android operating system. However, if you think that fixing the problem is as simple as just deleting the third party apps, think again. Quite often, these are deliberately designed so they can’t be removed by the user.
Fixing the Android Security Problems
The good news is that some manufacturers have already taken steps to resolve these issues, with companies such as Asus, LG and ZTE issuing statements. Asus told the press, “Asus is aware of the recent ZenFone security concerns and is working to swiftly and diligently resolve them with software updates.” As the Asus Zenfone V was one of the worst affected handsets, that allowed potential recording of the screens contents and reading text messages, that fix can’t come soon enough.
LG stated ‘LG was made aware of the vulnerabilities and has introduced security updates to address these issues. In fact, most of the reported vulnerabilities have already been patched or have been included in upcoming scheduled maintenance updates not related to security risks’.
While it’s positive that manufacturers are taking the findings of the Kryptowire team seriously, it’s important to note that the fixes are being issued through updates, so the user still has to accept and download the latest patch before they are protected. If you own of the phones affected, be sure to update it as the earliest opportunity.
Which Android Phones are Affected?
Courtesy of Kryptowire, below is a full list of the handsets that are potentially vulnerable, plus an explanation of the flaws each could suffer from.
Be aware that most vulnerabilities in this list can be activated by an unscrupulous app, so stick with the Google Play store to ensure you’re getting legitimate downloads.
| Manufacturer | Model | OS version | Potential issue |
|---|---|---|---|
| ZTE | ZMAX Pro | 6.0.1 | Send text messages |
| ZTE | ZMAX Pro | 6.0.1 | Obtain all the text messages of the user and also insert, modify, and delete text messages |
| ZTE | ZMAX Champ | 6.0.1 | A pre-installed app allows any app on the device to cause the device to get stuck in an unfixable recovery bootloop. |
| ZTE | ZMAX Champ | 6.0.1 | A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. |
| ZTE | ZMAX Pro | 6.0.1 | Obtain the numbers of contacts and numbers of people that the user has texted |
| ZTE | Blade Spark | 7.1.1 | Obtain the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification. |
| ZTE | Blade Vantage | 7.1.1 | A pre-installed app allows any app on the device to make the system write the modem log to the sdcard. This contains the send and received text messages and the call data. |
| Vivo | V7 | 7.1.2 | Record the screen and write it to app’s private directory. A notification and floating icon pop up initiatlly, but these can be quickly removed. |
| Vivo | V7 | 7.1.2 | Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification. |
| Vivo | V7 | 7.1.2 | Provides the capability to set system properties as the com.android.phone user. With this and vulnerability above, you can caputre the input of the user (where they touch the screen) and the bluetooth snoop log. |
| Sony | Xperia L1 | 7 | Take screenshot of the screen which can be used to examine the user’s notifications. |
| SKY | Elite 6.0L+ | 6 | Command execution as the system user via old version of Adups software |
| Plum | Compass | 6 | A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. |
| Orbic | Wonder | 7.1 | Pairing with the vulnerability above, the user can get the body of text messages and call data since the default messaging apps is in debug mode, so the telephony data is written to the log. The log is written to the sdcard so any app can use the vulnerability above to get this data. |
| Orbic | Wonder | 7.1.2 | A pre-installed app allows the user to obtain the logcat log that get written to the sdcard continuosly. The logcat log is not available to third-party apps since it contains sensitive user data. The user can start the app with so it will not show up in the recent apps list and then dismiss it by going to the home screen so it will not be accessible to the user. It will continuosly write the log file to the sdcard. |
| Orbic | Wonder | 7.1.2 | A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. |
| Oppo | F5 | 7.1.1 | Surreptitiously audio record the user and write it to the sdcard. This does require the command execution as system user to copy the recording file. |
| Oppo | F5 | 7.1.1 | Command execution as the system user |
| Nokia | 6 TA-1025 | 7.1.1 | Take screenshot of the screen which can be used to examine the user’s notifications. |
| MXQ | TV Box | 4.4.2 | A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. |
| MXQ | TV Box | 4.4.2 | Make the device non-functional. The device will not boot properly even after a factory reset. The device can likely be recovered by placing clean firmware images on the sdcard and flashing them. |
| LG | G6 | 7 | Can lock a user out of their own phone (even in safe mode) and the user will be forced to factory reset in recovery mode. The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it hich may be difficult for the average user. This acts as a Denial of Service attack and results in data loss if a factory reset occurs. |
| LG | G6 | 7 | Obtain the logcat logs continuosly which are not available to third party apps since they leak senstive user data. The log file can be written to the app’s private directory by using path traversal. |
| LG | G6 | 7 | Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. It also creates a file on the sdcard containing the phone IMEI and serial number. |
| Leagoo | Z5C | 6 | Read the last text message from each conversation. The last message will containt the phone number, text body, timestamp, and the contact’s name (if any) |
| Leagoo | P1 | 7 | Take screenshot of the screen which can be used to examine the user’s notifications. |
| Leagoo | P1 | 7 | Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. |
| Leagoo | P1 | 7 | A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. |
| Leagoo | Z5C | 6 | Send text messages |
| Leagoo | Z5C | 6 | A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. |
| Essential | Essential | 7.1.1 | A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. |
| Doogee | X5 | 6 | Video record of the screen. This capability can be used in a similar way as taking screenshots by opening apps that show the user’s messages. The recording is not transparent to the user. |
| Coolpad | Revvl Plus | 7.1.1 | Obtain all the text messages of the user and also insert, modify, and delete text messages |
| Coolpad | Canvas | 7 | Provides the capability to set system properties as the com.android.phone user. |
| Coolpad | Defiant | 7.1.1 | Send text messages |
| Coolpad | Revvl Plus | 7.1.1 | Provides the capability to set system properties as the com.android.phone user. |
| Coolpad | Revvl Plus | 7.1.1 | A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. |
| Coolpad | Revvl Plus | 7.1.1 | Send text messages |
| Coolpad | Canvas | 7 | Obtain the logcat logs, kernel logs, and tcpdump capture which are written to the sdcard. This leaves a notification active. The logs contain the body of sent and received text messages. |
| Coolpad | Defiant | 7.1.1 | A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. |
| Coolpad | Defiant | 7.1.1 | Obtain all the text messages of the user and also insert, modify, and delete text messages |
| Asus | ZenFone 3 Max | 7 | A pre-installed app with an exposed interface allows any app on the phone to obtain a bugreport (kernel log, logcat log, dump of system services (includes text of active notifications), WiFi Passwords, and other system data gets written to the sdcard. The numbers for received and placed telephone calls show up in the log, as well as the sending and receving telephone numbers for text messages. |
| Asus | ZenFone 3 Max | 7 | Arbitrary app installation over the internet. Then this app can also be uninstalled after it is run using the same interface. |
| Asus | ZenFone 3 Max | 7 | Take screenshot of the screen which can be used to examine the user’s notifications. |
| Asus | ZenFone 3 Max & ZenFone V Live | 7 | Command execution as the system user |
| Alcatel | A30 | 7 | Take screenshot of the screen which can be used to examine the user’s notifications. |
| Alcatel | A30 | 7 | Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. This was an Amazon Prime exclusive device. |
Original table and more information can be found at https://www.kryptowire.com/portal/android-firmware-defcon-2018/