Malware Pre-installed On Your Android Phone?
Mobile operating systems are complex beasts, so it’s no surprise that each new version of Android comes with one or two theoretical security flaws that could, if discovered by hackers before they are patched, spell disaster for unhappy users. Did your smartphone come with malware pre-installed? Read on...
Malware on Your Android Phone?
Guess how many security flaws two researchers with the Kryptowire security consultancy found in factory-fresh copies of 25 Android phones made by 11 different OEMs (vendors) including Asus, ZTE, LG and the Essential Phone; devices distributed by the likes of AT&T and Verizon.
Two? Ten? How about more than three dozen? Thirty-eight, to be exact. These vulnerabilities enabled hackers to do everything from mere mischief – such as triggering random factory resets – to real-time eavesdropping or hoovering up all of a user’s personal data and transmitting it to unknown servers on the Internet. Some of the affected phones include the LG G6, the Essential Phone, the Sony Xperia L1, and the Asus ZenFone 3 Max.
What the heck, Google! Why do you let such sloppy programming get out the door? Oh wait, it's not Google's fault? Then who is to blame?
The thing is, none of the vulnerabilities lay in the Android operating system itself. Instead, they were in apps written or licensed by vendors and carriers and pre-installed by them on the phones sold to consumers. Many of the dozens of apps that come with a phone and are part of its branding happen to be shabby, leaky examples of bad programming. They are egregious betrayals of trust.
"All of these are vulnerabilities that are prepositioned. They come as you get the phone out the box," said Angelos Stavrou, Kryptowire's CEO, at the DEFCON hackers conference where Kryptowire’s research was reported. "That's important because consumers think they're only exposed if they download something that's bad."
In hindsight, it is no surprise that OEM apps – also known as “bloatware” or unnecessary software – are security sieves. These apps are last-minute additions to new hardware platforms, like the ribbon bow that is the final touch on a present. Product launch deadlines must be met, and if time was lost earlier in the development process it can be shaved off at the end by omitting rigorous security testing of bloatware. Who has time or resources for that sort of stuff, anyhow?
AT&T, Verizon, LG Electronics, Motorola, and even startups like Essential, that’s who. It is unforgivable betrayal to ship phones with bloatware that has not been thoroughly vetted and hardened against hackers and malware.
Executives with Essential said the company has already fixed the flaws highlighted at DEFCON after Kryptowire “reached out” to them. LG said it is in the process of rolling out patches. AT&T also said it is issuing patches for its products.
ASUS is aware of the recent ZenFone security concerns raised and is working diligently and swiftly to resolve them with software updates that will be distributed over-the-air to our ZenFone users, " an ASUS spokesman said in a statement. Translation: we are still trying to figure out what to do.
ZTE and Verizon did not respond to media requests for comment. "The issues they have outlined do not affect the Android operating system itself, but rather, third party code and applications on devices. Together with Kryptowire, we have reached out to affected Android partners to address these issues," a Google spokesperson said in a statement.
How Bad Are These Flaws?
Nefarious things enabled by flawed bloatware include keylogging of usernames and passwords, captures of screenshots showing users’ bank details and other sensitive data, logging of who a person contacts and what about, and other familiar dirty tricks. But the privileged nature of OEM-installed apps makes them far more dangerous than garden-variety malware.
Pre-installed apps often have higher privileges than apps installed by users. This special privilege can be exploited by malicious apps to do things they cannot do directly, if the pre-installed apps can be subverted via the vulnerabilities discovered by Kryptowire. For instance, pre-installed apps may be able to access protected files on a device.
The vulnerabilities on ASUS's ZenFone 3 Max enable apps to download and install other apps from any source, obtain WiFi passwords, intercept text messages, and make phone calls (perhaps to $5.99 per minute “premium” voice services).
The Essential Phone had a vulnerability that enabled a malicious app to trigger a factory reset that wipes out all user data stored on a phone.
The researchers dug into only 11 different phones, but there are more than 24,000 out there. It would be impossible to exhaustively vet the pre-installed apps on every single make and model. But OEMs aren’t even trying to protect their best-sellers.
"As an end user, there's not much you can do," Stavrou said. "Someone would have to scan and analyze your firmware and find the vulnerabilities." Yikes.
The only silver lining in this story is that most of the vulnerabilities that Kryptowire discovered require the user to download an app that is specially designed to exploit them. So I'll repeat my Android security advice here: If you're going to install an app, make sure it's from the official Google Play Store, and that it already has lots (thousands) of users and positive reviews.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 6 Sep 2018
|For Fun: Buy Bob a Snickers.|
PC Matic - An Overdue Review
The Top Twenty
Geekly Update - 07 September 2018
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Malware Pre-installed On Your Android Phone? (Posted: 6 Sep 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved