Codes were found that could expose the user’s device to a complete takeover by hackers
Mobile security firm Kyrptowire has spotted security flaws and bugs in the firmware of at least 10 different devices sold by carriers in America.
According to a report by Wired, the firm’s research pointed out security meltdowns that arose from code written by phone companies that sought to modify the Android operating system.
Such security lapses could result in huge losses such as letting the attacker lock the user out of their device and gain control of sensitive information. Mobile phone companies such as Asus, Essential, LG, and ZTE have all promised to patch these security flaws.
The research concluded that the breaches would require users to download some form of a malicious app that could take advantage of the flaws present in the firmware. The research was funded by the Department of Homeland Security and was presented at the Black Hat USA Security Conference.
Kyrptowire states that such vulnerabilities take place due to Android’s open nature, giving third-parties an opportunity to twist the code and change the interference or create a completely different version of Android. It was also discovered that such an open-style system can result in gaps in the security of the device and thus pose as an endemic problem to Android.
“A lot of the people in the supply chain want to be able to add their own applications, customise, add their own code. That increases the attack surface, and increases the probability of software error,” said Angelos Stavrou, CEO of Kyptowire.
A similar case was discovered in the Asus Zenfone V Live, where Kryptowire found codes enough to expose the users to a complete takeover of their smartphones. This included screenshots and video recordings that could be taken off the screen thus enabling hackers to possibly read and change text messages. Asus confirmed the issue and said they were “aware of the recent security concerns” and are “working diligently and swiftly to resolve them” with a patch.
After being alerted by Kryptowire, smartphone companies such as Essential, LG and ZTE issued statements stating they had fixed some of or all of the problems detected by Kryptowire.