Android smartphones can fall vulnerable to a wide number of security threats due to customisations in the core operating system files made by handset manufacturers, a new study has warned.
The research by security firm F-Secure reviewed several flagship smartphones, including the Samsung Galaxy S9, Huawei Mate 9 Pro and Xiaomi Mi 9, and found that the presence of pre-loaded applications in the custom Android skin and tweaked region-specific settings on devices can impact users differently, based on their geo-location.
However these tweaks can create gaps or flaws in the installed software, leaving the devices open to attack.
Most Android smartphone makers apply a custom skin on top of the core Android OS. This skin is supposed to bring in additional applications, features and enhanced settings that are not normally found on a smartphone running on stock Android.
But James Loureiro, UK director of research at F-Secure Consulting, said that “devices which share the same brand are assumed to run the same, irrespective of where you are in the world — however, the customisation is done by third-party vendors such as Samsung, Huawei and Xiaomi can leave these devices with significantly poor security dependent on what region a device is set up in or the SIM card inside of it.”
Highlighting the threat posed by the bloatware that comes pre-installed in most Android phones, Loureiro noted, “We have seen devices that come with over 100 applications added by the vendor introducing a significant attack surface that changes by region.”
Citing the example of the Samsung Galaxy S9, the researchers explained that the smartphone reacts differently based on the location of the SIM card that is inserted in the phone. This is done to ensure that the device works in a specific geo-location. Even Huawei’s and Xiaomi’s devices were found to be following a similar pattern; however, this offered the researchers a scope to gain full control of the device by exploiting an application.
According to Toby Drew, a senior security consultant at F-Secure’s Consulting, a Xiaomi Mi 9 may be secure for a user in China but the same device may be vulnerable for another user in a different country, say India.
“It’s important for vendors to consider the security implications when they’re customising Android for different regions. People in one region are not more or less entitled to security than another. And if you have the same device configured to provide a less secure experience to users in one region compared to another, it’s creating a type of inequality by increasing their exposure to attacks,” says Toby.
The vulnerabilities discovered during this process have been reported to the manufacturers via controlled disclosure process and have been patched by the respective brands.