- The revelation was made at the Black Hat security conference
- Security firm Kryptowire has published the findings
- The report is critical of Android’s open nature
Google’s Android operating system has since inception been known to be susceptible to third-party interference given its open nature. At the annual Black Hat security conference this year, in Las Vegas, the researchers over at mobile security firm Kryptowire have uncovered substantial vulnerabilities in at least 10 different Android devices sold in the US across mobile carriers. A report reveals that the potential effects noted in the finding include the ability to lock someone out of their own device, gain remote access to microphone, camera, etc. Kryptowire is funded by the US Department of Homeland Security (DHS).
These bugs are a result of Android’s policies that allow third-party sources to modify code as per their liking, reports The Wired. While these interferences allow users to experience custom variants of vanilla Android, they end up causing update delays as well as giving malicious users access to something that should not have been given in the first place.
This problem is not likely to go away anytime soon. Kryptowire CEO Angelos Stavrou explains, “The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error. They’re exposing the end user to exploits that the end user is not able to respond to.”
The report does not call out any particular manufacturer and instead critiques the entire Android ecosystem as having an endemic problem of malicious code pushed by the numerous hands that contribute to the ecosystem. Kryptowire did, however, specify issues for one particular smartphone – Asus ZenFone V Live. According to the firm’s findings, this phone can potentially be part of a system takeover with third parties gaining access to actions like taking screenshots, video recordings, making phone calls, and modifying text messages.
Kryptowire recommends using only Google Play to install apps, and avoiding third-party sources altogether. This is because vulnerabilities can sneak into Android devices without informing the user of permissions, especially from external sources.
After the findings were made public, Essential has confirmed that a patch has been issued for the Essential Phone. Even LG is known to have issued security updates to resolve the issue. Chinese manufacturer ZTE, banned in the US, has stated that updates are being delivered and that the company is working with its partners to ensure future maintenance releases.