Mobile devices can be highly insecure, particularly smartphones. Take Android for instance. When you buy an Android smartphone it’s rarely a pure Android experience. Manufacturers often try shipping smartphones with their own apps and services, or in other words, bloatware. But beyond the usual annoyance, these apps and services could be equipped with their own vulnerabilities. This essentially puts smartphones at risk prior to getting the devices to the users’ hands.

As of November 2019, Kryptowire reports a whopping 146 vulnerabilities on Android smartphones in the form of pre-installed apps and firmware. These vulnerabilities were found across 29 vendors, including global heavyweights like Samsung, Asus, and Xiaomi. Of the 146, 41 (28.1%) pertains to System Properties Modifications and 34 (23.3%) relates to App Installation.

According to Kryptowire CEO Angelos Stavrou, “we wanted to understand how easy it is for someone to be able to penetrate the device without the user downloading an application”. He further goes on to state that, “If the problem lies within the device, that means the user has no options. Because the code is deeply buried in the system, in most cases the user cannot do anything to remove the offending functionality.”

The main issue here is that unlike a user downloading a suspicious app, these vulnerabilities come pre-loaded on the smartphone. In other words, users can always delete a suspicious download, but not pre-installed software.

In 2018, Kryptowire disclosed a similar report citing vulnerabilities across 10 popular Android devices. But its latest report includes a significant difference. According to WIRED, the company has built a tool that scans for issues at the firmware level. This works even if the device itself isn’t available physically for use. Furthermore, the tool goes on to operate as follows,

  • Automatic creation of a Proof of Concept
  • Validation of a vulnerability’s existence, mitigating any false positive alerts
  • Looks for “unsafe states”. This refers to actions like obtaining screenshots, audio recording and changing settings when the device shouldn’t do so
The manufacturer’s responsibility

Of course, the responsibility doesn’t fall entirely on the manufacturers. Some of these vulnerabilities come from the OS level, i.e. Google. In a statement, “We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these”, the tech giant commented. Google has its own process called Build Test Suite (BTS) that filters out potentially harmful weaknesses such as the above.  Although only a little over a year old, BTS managed to contain 242 install-related issues before they reached the consumer level.

Despite Kryptowire disclosing the discovered vulnerabilities with the affected vendors, not all manufacturers believe these vulnerabilities are to be worried about. Take Samsung for example. Kryptowire’s report cites 33 vulnerabilities in Samsung smartphones, originating from 6 preinstalled apps. 4 of these apps were built inhouse. Samsung claims that owing to the broader Android security framework, these vulnerabilities don’t pose any threat. Samsung’s statement on the matter reads, “Since being notified by Kryptowire, we have promptly investigated the apps in question and have determined that appropriate protections are already in place.”

Regardless of the actual threats that the vulnerabilities may or may not pose, most Android manufacturers don’t offer proper procedures on reporting bugs and patching them afterward. In Samsung’s case, the company possesses the resources necessary to investigate these aspects in depth. But this isn’t the case with other vendors that aren’t as big as Samsung. To quote WIRED, “Outside of Google’s own Pixel line and a handful of well-resourced manufacturers, security updates are slow to hit Android devices under even the best of circumstances.”

Attackers are everywhere

Then again, security threats aren’t limited to preinstalled apps and firmware. Sometimes it can be as simple as a trigger from a user action. For example, installing apps outside the Google Play Store is the most common way malware and other attacks get through to Android systems. Back in October, Symantec reported about the Android Dropper app that managed to infect 45,000 devices in 6 months across India, Russia, and the US. Called ‘xhelper’, the malicious app was primarily distributed via unknown download sources as opposed to legitimate stores like Google Play Store.

Sometimes, even the Play Store itself could pose serious security lapses. A few months ago, it was revealed that 34 apps on the Google Play Store were infected with a malicious clicker trojan, compromising over 100 million Android users. Google may be doubling its efforts in beefing up security on the Play Store. But it’s likely that the attackers are working similarly hard. With Google Play Protect, the company has “detected and removed malicious developers faster, and stopped more malicious apps from entering the Google Play Store than ever before. The number of rejected app submissions increased by more than 55%, and we increased app suspensions by more than 66%.”

Keeping your smartphones safe

So what can the users do to keep the smartphones away from ambitious hackers? Quite a few things actually. Some few obvious actions, others not so much. For starters, it’s advisable for Android users to stick only to the Google Play Store when downloading apps. Downloading from unknown sources can not only compromise your device’s security but it can also cause lapses in the phone’s functioning. Google Play Store might not be completely impenetrable. But it’s your best bet to make sure you only use safe apps.

Of course, it’s a bit tricky in the case of preinstalled apps’ vulnerabilities. There’s nothing much the users can do about them. Keeping one’s Android phone up to date is always a safe choice.

Furthermore, over time most users amass many apps on their smartphones. But not all of these apps are used on a regular basis. As a practice, it would be wise to delete any unused apps over a long period of time. Additionally, it would also make sense to clean up the phone frequently.

Finally, use an antivirus app on the phone.  This adds a further level of security to the phone. But this comes at the cost of the phone’s overall performance.

All in all, mobile devices like Android systems are only as vulnerable as to how security is proactively looked into. While the likes of Google attempt to ensure a more secure Android experience and phone manufacturers also join the party. The responsibility also falls on the hands of the user to proactively take security as a priority when using Android smartphones. 

Mobile security