Keeping your phone safe from malicious apps is hard enough and Google pours hundreds of thousands of bad apps every year.
The phone provides an attractive target. Apps open up much access to your devices when they come into your contacts wherever you are, your data usage, among the many private details you share with your phone.
So you can imagine how challenging it is when there are apps with security issues that are preinstalled on multiple Android phones.
Security scientists from Kryptowire, a security company, found 38 different security issues that could allow spying and resetting factories loaded on 25 Android phones ̵
Vulnerabilities are just the latest battle against Android, which suffers from the perception that it's a less secure mobile platform than Apple's IOS. Google has been working to fix its image, force security updates for vendors, and push out malicious apps, but such revelations do not help. It is also a reminder that consumers must be more vigilant when it comes to protecting the information on their mobile devices.
Angelos Stavrou, CEO of Kryptowire and Ryan Johnson, the company's research director, revealed their findings at the DEFCON hackers conference Friday.
"All of these are vulnerabilities that are prepositioned. They come as you get the phone out of the box," said Stavrou. "It's important because consumers think they're only exposed if they download something bad."
An important spokeswoman said that the company solved these problems when Kryptowire reached out to them. A spokesperson from LG said that the company has introduced security updates to fix vulnerabilities.
"ASUS is aware of the latest ZenFone vulnerabilities that have been raised and work hard and fast to fix them with software updates that will be distributed over-the-air to our ZenFone users," said a spokesman for ASUS in a statement.
AT & T said that updates have been distributed to resolve the issue.
ZTE did not respond to a request for comment. Verizon did not respond to a request for comment.
"The issues they have outlined do not affect the Android operating system, but also third party code and device applications. Together with Kryptowire, we've reached the impact of Android partners to address these issues," a Google spokeswoman said in a statement. 19659016] Error in Arrivals
Hackers can potentially exploit the pre-installed vulnerabilities, capture screenshots, take screenshots, bricks or factory reset a device, or steal private information by getting a victim to download a malware, Johnson said. They may also potentially get a sign of what a person wrote, read, and who they are in contact with.
Given that thousands of people fall for malicious apps that make harmless tools like flashlight or popular games like Fortnite, it's not Hard to get people to download the right kind of malware.
While most apps can not access protected files, they can use these preinstalled apps errors like openings to get in, Johnson said in an interview before DEFCON.
Part of the problem is that phone manufacturers have free government to put in what programs they want on the devices they sell. Although Google is able to patrol its Play Store and block malicious software or applications with security vulnerabilities, they do not have much control over what's coming on devices, researchers say.
"Any provider can create an Android design," Johnson said. "Some of the preinstalled apps might not get a review of anything Google creates with their own apps."
Because there are so many different phone manufacturers out there for Android devices, it's hard for Google and researchers to keep track of all preinstalled applications, Johnson said. Some vendors do better jobs than others by making sure the pre-installed apps are safe.
Vulnerabilities are different across phones because they each have different preinstalled programs, Kryptowire researchers said.
Someone is serious, like Essential Phone, which had a vulnerability that allows an attacker to retrieve a factory reset. The error is due to a preinstalled app with a filename "com.ts.android.hiddenmenu." Any app on the device could access the preinstalled app and use it to reach the Essential Phone system and delete all the data stored on it, said Stavrou.
Other vulnerabilities, such as those on ASUS ZenFone 3 Max, Allow apps to install other apps over the Internet, get Wi-Fi passwords, set up keyloggers, listen to text messages and make phone calls. This was also on ZenFone V and ZenFone 4 Max and Max Pro, according to researchers.
There may be more out there, researchers said, considering that they have not looked at every and every Android device available. With more than 24,000 different types of Android devices logged in in 2015, it would be a monumental task to run vulnerability searches on each one.
"As an end user, there is not much you can do," said Stavrou. "Someone will have to scan and analyze your firmware and find the security issues."