Mobile device

Last week, at the DEF CON security conference held in Las Vegas, security researchers presented details about 47 vulnerabilities in the firmware and default apps of 25 Android smartphone models, 11 of which are also sold in the US.

These vulnerabilities, embedded in full in the table at the bottom of this article, range from simple flaws that crash devices to dangerous bugs that grant attackers the ability to get root access on users' devices.

Some of the most dangerous of these vulnerabilities allow an attacker to retrieve or send SMS texts from the user's phone, take screenshots or record videos of the phone's screen, retrieve the user's contacts list, force the installation of third-party arbitrary apps without the user's knowledge or consent, or even wipe the user's data from the device.

Some big OEM brands listed

These vulnerabilities were discovered in both the default apps that come preinstalled on some devices by default (and are sometimes unremovable), but also in the firmware of core device drivers that can't be removed without losing some of the phone's functionality, if not access to the device as a whole.

US mobile and IoT security firm Kryptowire unearthed these vulnerabilities as part of a grant awarded by the Department of Homeland Security (DHS).

The smartphone brands (OEMs) included on Kryptowire's list include big names such as ZTE, Sony, Nokia, LG, Asus, and Alcatel, but also smaller companies such as Vivo, SKY, Plum, Orbic, Oppo, MXQ, Leagoo, Essential, Doogee, and Coolpad.

"With the hundreds of mobile phone makes and models on the market and thousands of versions of firmware, best-effort manual testing and evaluations simply cannot scale to address the problem of identifying vulnerabilities in mobile phone pre-installed apps and firmware," said Angelos Stavrou, CEO of Kryptowire, in a press release also announcing the release of a new enterprise-targeted platform for automatically testing the firmware and apps of Android mobile devices.

Some old names on the list

Some of the OEM brands are old acquaintances. For example, ZTE. Leagoo and Doogee have been listed in previous reports about insecure Android device makers. Devices from these two vendors were found on two different occasions [1, 2] to come preinstalled with banking trojans.

Back in November 2016, Kryptowire also discovered a backdoor mechanism in the FOTA (Firmware Over The Air) update software system produced by Chinese firm Adups. That FOTA system was included in the firmware of many Android phone makers, and a year later was found to be still active, despite public disclosure.

Below are the vulnerabilities discovered by the Kryptowire team, and presented last week at DEF CON. A whitepaper is available here, while a list of vulnerable apps is available here.

OEM Model OS Version Description Attack Requirements Build Fingerprint
ZTE ZMAX Pro 6.0.1 Send text messages Local app on the device without any permissions ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
ZTE ZMAX Pro 6.0.1 Obtain all the text messages of the user and also insert, modify, and delete text messages Local app on the device without any permissions ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
ZTE ZMAX Champ 6.0.1 A pre-installed app allows any app on the device to cause the device to get stuck in an unfixable recovery bootloop. Local app on the device without any permissions ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys
ZTE ZMAX Champ 6.0.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device without any permissions ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys
ZTE ZMAX Pro 6.0.1 Obtain the numbers of contacts and numbers of people that the user has texted Local app on the device without any permissions ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
ZTE Blade Spark 7.1.1 Obtain the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard ZTE/Z971/peony:7.1.1/NMF26V/20171129.143111:user/release-keys
ZTE Blade Vantage 7.1.1 A pre-installed app allows any app on the device to make the system write the modem log to the sdcard. This contains the send and received text messages and the call data. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard ZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys
Vivo V7 7.1.2 Record the screen and write it to app's private directory. A notification and floating icon pop up initiatlly, but these can be quickly removed. Local app on the device that does not require any permissions vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
Vivo V7 7.1.2 Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
Vivo V7 7.1.2 Provides the capability to set system properties as the com.android.phone user. With this and vulnerability above, you can caputre the input of the user (where they touch the screen) and the bluetooth snoop log. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
Sony Xperia L1 7.0 Take screenshot of the screen which can be used to examine the user's notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar Sony/G3313/G3313:7.0/43.0.A.6.49/2867558199:user/release-keys
SKY Elite 6.0L+ 6.0 Command execution as the system user via old version of Adups software Local app on the device that does not require any permissions SKY/x6069_trx_l601_sky/x6069_trx_l601_sky:6.0/MRA58K/1482897127:user/release-keys
Plum Compass 6.0 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions PLUM/c179_hwf_221/c179_hwf_221:6.0/MRA58K/W16.51.5-22:user/release-keys
Orbic Wonder 7.1 Pairing with the vulnerability above, the user can get the body of text messages and call data since the default messaging apps is in debug mode, so the telephony data is written to the log. The log is written to the sdcard so any app can use the vulnerability above to get this data. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
Orbic Wonder 7.1.2 A pre-installed app allows the user to obtain the logcat log that get written to the sdcard continuosly. The logcat log is not available to third-party apps since it contains sensitive user data. The user can start the app with so it will not show up in the recent apps list and then dismiss it by going to the home screen so it will not be accessible to the user. It will continuosly write the log file to the sdcard. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
Orbic Wonder 7.1.2 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
Oppo F5 7.1.1 Surreptitiously audio record the user and write it to the sdcard. This does require the command execution as system user to copy the recording file. Local app on the device without any permissions OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys
Oppo F5 7.1.1 Command execution as the system user Local app on the device without any permissions OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys
Nokia 6 TA-1025 7.1.1 Take screenshot of the screen which can be used to examine the user's notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar Nokia/TA-1025_00WW/PLE:7.1.1/NMF26F/00WW_3_32F:user/release-keys
MXQ TV Box 4.4.2 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys
MXQ TV Box 4.4.2 Make the device non-functional. The device will not boot properly even after a factory reset. The device can likely be recovered by placing clean firmware images on the sdcard and flashing them. Local app on the device that does not require any permissions MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys
LG G6 7.0 Can lock a user out of their own phone (even in safe mode) and the user will be forced to factory reset in recovery mode. The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it hich may be difficult for the average user. This acts as a Denial of Service attack and results in data loss if a factory reset occurs. Local app on the device that does not require any permissions lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
LG G6 7.0 Obtain the logcat logs continuosly which are not available to third party apps since they leak senstive user data. The log file can be written to the app's private directory by using path traversal. Local app on the device and INTERNET permission to send out the data. lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
LG G6 7.0 Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. It also creates a file on the sdcard containing the phone IMEI and serial number. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
Leagoo Z5C 6.0 Read the last text message from each conversation. The last message will containt the phone number, text body, timestamp, and the contact's name (if any) Local app on the device that does not require any permissions sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
Leagoo P1 7.0 Take screenshot of the screen which can be used to examine the user's notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
Leagoo P1 7.0 Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. Physical access to device LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
Leagoo P1 7.0 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
Leagoo Z5C 6.0 Send text messages Local app on the device that does not require any permissions sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
Leagoo Z5C 6.0 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
Essential Essential 7.1.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions essential/mata/mata:7.1.1/NMJ88C/464:user/release-keys & essential/mata/mata:8.1.0/OPM1.180104.166/297:user/release-keys
Doogee X5 6.0 Video record of the screen. This capability can be used in a similar way as taking screenshots by opening apps that show the user's messages. The recording is not transparent to the user. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the INTERNET permission to send out the data DOOGEE/full_hct6580_weg_c_m/hct6580_weg_c_m:6.0/MRA58K/1479906828:user/test-keys
Coolpad Revvl Plus 7.1.1 Obtain all the text messages of the user and also insert, modify, and delete text messages Local app on the device without any permissions Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad Canvas 7.0 Provides the capability to set system properties as the com.android.phone user. Local app on the device without any permissions Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys
Coolpad Defiant 7.1.1 Send text messages Local app on the device without any permissions Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
Coolpad Revvl Plus 7.1.1 Provides the capability to set system properties as the com.android.phone user. Local app on the device without any permissions Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad Revvl Plus 7.1.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device without any permissions Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad Revvl Plus 7.1.1 Send text messages Local app on the device without any permissions Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad Canvas 7.0 Obtain the logcat logs, kernel logs, and tcpdump capture which are written to the sdcard. This leaves a notification active. The logs contain the body of sent and received text messages. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys
Coolpad Defiant 7.1.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device without any permissions Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
Coolpad Defiant 7.1.1 Obtain all the text messages of the user and also insert, modify, and delete text messages Local app on the device without any permissions Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
Asus ZenFone 3 Max 7.0 A pre-installed app with an exposed interface allows any app on the phone to obtain a bugreport (kernel log, logcat log, dump of system services (includes text of active notifications), WiFi Passwords, and other system data gets written to the sdcard. The numbers for received and placed telephone calls show up in the log, as well as the sending and receving telephone numbers for text messages. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
Asus ZenFone 3 Max 7.0 Arbitrary app installation over the internet. Then this app can also be uninstalled after it is run using the same interface. Local app on the device without any permissions asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
Asus ZenFone 3 Max 7.0 Take screenshot of the screen which can be used to examine the user's notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and EXPAND_STATUS_BAR permission is needed to expand the status bar asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
Asus ZenFone 3 Max & ZenFone V Live 7.0 Command execution as the system user Local app on the device without any permissions asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys & asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1709.56-20171017:user/release-keys
Alcatel A30 7.0 Take screenshot of the screen which can be used to examine the user's notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys
Alcatel A30 7.0 Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. This was an Amazon Prime exclusive device. The user needs physical access to the device and needs to bypass the screen-lock if it exists TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys

Related Articles:

Google’s Android Apps Are No Longer Free for European Smartphone Makers

iPhone X, Galaxy S9, Xiaomi Mi6 Fall at Pwn2Own Tokyo

iSH - An iOS Linux Shell for Your iPhone or iPad

November Android Security Update Fixes Critical Bugs, Drops Media Library

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads