Android preinstalled applications are full of vulnerabilities

Kryptowire company specialists conducted automatic analysis of applications that were preinstalled on Android-smartphones, and discovered more than 150 vulnerabilities.

“In research funded by the US Department of Homeland Security, the Kryptowire found apps secretly recording audio, changing phone settings without user permission and even granting themselves new permissions”, — write C|Net journalists.

The list of vendors on whose phones are found flaws includes industry leaders as Samsung, Xiaomi, Asus and Sony.

The objects of analysis performed using the Kryptowire own engine include modified versions of Android and original programs that are not part of the standard OS package. In the focus of experts’ attention were devices from 29 manufacturers on the US market.

“Testing revealed 146 vulnerabilities in them, almost a third of which are associated with escalation of privileges and enables third-party applications to gain unauthorized access to the system settings”,- say the researchers.

A large group of bugs is related to bypassing Android security boundaries. Researchers have found 34 applications that can install third-party programs on the device without checking the digital signature. Another 30 system utilities allow the launch of third-party products with extended privileges, regardless of the permissions available for this. Other vulnerabilities include the ability to change settings through a wireless connection, unauthorized use of a microphone, and dynamic downloading of third-party code.

Read also: Thousands of Disney + accounts are already sold on the darknet

The largest number of bugs – 33 – was found in the firmware of Samsung phones, on the second line are ASUS devices, in which were found 26 vulnerabilities, in third place was Xiaomi with 15 vulnerabilities.

Therefore, experts discovered and registered the following problems:

1. CVE-2019-15394 — any application installed on the Asus ZenFone 5 Selfie can interact with program components with the package name com.asus.atd.smmitest and gain permission to change the wireless settings.
2. CVE-2019-15446 — Samsung S7 phone design manager can be used by other preinstalled products to install third-party programs without the appropriate permissions.
3. CVE-2019-15475 — one of the Qualcomm chipset firmware modules in Xiaomi Mi A3 enables a malicious application to intercept microphone work and record phone calls.

Experts informed device manufacturers and developers of the operating system of the identified vulnerabilities. In response, Google representatives said they highly appreciate the work of researchers in the responsible disclosure of bugs found.