Vulnerabilities in pre-installed apps expose millions of Android devices

Share this…

Your new phone could be remotely hacked

Almost all phones that operate with Android include apps pre-installed by manufacturers or operators, known as bloatware, no one uses them and they occupy space in the device storage, but there could be more problems; for several enterprise network security specialists, there is not much to do if one of these apps contains a backdoor or some other vulnerability.

A group of researchers revealed details on 47 different vulnerabilities inside the firmware and the default apps (pre-installed and mostly non-removable) of 25 Android devices that could allow hackers to spy on users and reset their devices to factory configurations, putting at risk of hacking millions of Android devices.

At least 11 of those vulnerable smartphones are manufactured by companies like Asus, ZTE, LG and Essential Phone, and distributed by U.S. service providers like Verizon and AT&T. Other major brands of Android phones include Vivo, Sony, Nokia and Oppo, as well as many smaller manufacturers such as Sky, Leagoo, Plum, Orbic, MXQ, Doogee, Coolpad and Alcatel.

Some of the vulnerabilities described by enterprise network security investigators could allow a hacker to execute arbitrary commands to erase all data from a device, block users from their devices, access the device’s microphone and other features, access all your data, or read and modify messages, all without the phone user knowing about the attack. “All these vulnerabilities are previously prepared, a user is vulnerable as soon as he takes his phone out of the box and starts using it”, the researchers commented.

For example, the vulnerabilities in the Asus ZenFone V Live could allow a full control take over the system, allowing attackers to take screenshots and record the user’s screen, make phone calls, spy text messages and more.

The researchers commented that these vulnerabilities arise from the open nature of the Android operating system that allows third parties, such as device and operator manufacturers, to modify the code and create completely different versions of the operating system. This is the same team of enterprise network security researchers who discovered the backdoor present in more than 700 million of Android smartphones that collected text messages, call log, contact list, location history and data every 72 hours.

Some of the affected companies have already released update patches for vulnerabilities, while others are in the process of doing so.

According to enterprise network security experts from the International Institute of Cyber Security, since the Android operating system itself is not affected by these vulnerabilities, there’s not too much Google can do about it, because it has no control over apps pre-installed by manufacturers and operators.