ra2 studio - stock.adobe.com
Android smartphone devices produced by the world’s most prominent manufacturers, including Huawei, Samsung and Xiaomi, are being openly shipped and sold with radically different levels of on-board security in different countries, according to researchers at Finland’s F-Secure.
This variance highlights a significant gap and barrier to wider knowledge and understanding of Android device security around the world, but also points the way to a potentially more insightful attitude to vulnerability research.
“Finding problems like these on multiple well-known handsets shows this is an area that the security community needs to look at more carefully,” said Mark Barnes, senior security researcher at F-Secure Consulting.
“Our research has given us a glimpse of just how problematic the proliferation of custom-Android builds can be from a security perspective. And it’s really important to raise awareness of this among device vendors, but also large organisations with operations in several different regions.”
F-Secure’s research teams examined multiple devices, including, but not limited to, the Huawei Mate 9 Pro, the Samsung Galaxy S9 and the Xiaomi Mi 9.
They found that the exploitation processes for Android vulnerabilities and configuration varied from device to device, which is important because it implies that devices sold globally offer different levels of security to users located in different countries.
More concerningly, the level of security a user receives ultimately depends on the way the supplier configures the device – so two people in different countries can buy the same basic device, but one will be substantially more insecure than the other.
“Devices that share the same brand are assumed to run the same, irrespective of where you are in the world,” said James Loureiro, UK research director at F-Secure Consulting. “However, the customisation done by third-party vendors such as Samsung, Huawei and Xiaomi can leave these devices with significantly poor security, dependent on what region a device is set up in or the SIM card inside of it.
“Specifically, we have seen devices that come with over 100 applications added by the vendor, introducing a significant attack surface that changes by region.”
For example, the Samsung Galaxy S9 detects the region within which its SIM card is operating, which, in turn, influences how the device behaves.
Read more about Android security
- Mobile admins must understand the nature of the most recent Android security threats so they can protect users, but it’s crucial to know where these verified threats are listed.
- Google’s first developer preview of Android 11 highlights features aimed squarely at the enterprise, including bolstered security, a focus on compatibility and improved messaging.
- Google expanded its Android bug bounty programme to include data exfiltration and lock screen bypass and raised its top prize for a full chain exploit of a Pixel device.
F-Secure’s researchers said they found a way to exploit an application to give an attacker full control of the device if the device detected it was running a Chinese SIM, but not a SIM from another country.
Similar issues exist on the Huawei and Xiaomi devices tested. F-Secure said it had compromised Huawei Mate 9 Pro devices in China. In that country, where access to Google Play is banned, Huawei offers an app store called AppGallery. Huawei AppGallery contains multiple vulnerabilities that a hacker could use to establish a so-called beachhead to launch further attacks against Chinese Mate 9 Pro users, including remote code execution and data theft.
On the Xiaomi Mi 9, F-Secure said vulnerabilities in the supplier’s GetApps store meant attackers could take full control of the device by manipulating users into visiting a compromised website that they control. This vulnerability exists in China, India, Russia, and possibly some other countries. A similar attack is possible using attacker-controlled near field communication (NFC) tags.
F-Secure has already demonstrated attacks using these vulnerabilities at Pwn2Own – an ongoing series of hacking competitions in which teams try to compromise various devices by exploiting previously undiscovered zero-days. All of the vulnerabilities described above have since been patched.