Cybersecurity researchers discovered 47 new major vulnerabilities of Android-based firmware and default apps of 25 smartphones from LG Electronics, ASUS, and a number of other original equipment manufacturers, many of which are based in China. The findings that were presented at the latest edition of Las Vegas, Nevada-based Def Con conference encompass a wide variety of issues, ranging from potential privacy vulnerabilities to openings for full-fledged remote code execution. Four handsets from ZTE were found to be affected by some of the discovered problems, though only two were previously sold in the United States – the ZTE Blade Spark and Blade Vantage. Sony's Xperia L1 was also on the list of vulnerable devices, being affected by one exploit that can allow attackers to screenshot its notification bar.
A similar issue was found inside the Android Oreo implementation running on the Nokia 6, but not the variant that's sold in the U.S. ASUS, Alcatel, Vivo, OPPO, Essential, DOOGEE, LEAGOO, MXQ, Orbic, SKY, Coolpad, and Plum were also listed among the manufacturers that have some patching work to do in the future, provided they choose to address the new discoveries. IoT security company Kryptowire is credited with the findings that it hunted for in order to fulfill a grant given by the U.S. Department of Homeland Security.
While state-sponsored, the study isn't meant to be reflective of the federal government's stances on the state of mobile security. Regardless, with ZTE being one of the more high-profile names on the newly published list, the development marks yet another occasion on which the company's devices were presented as posing a potential security risk to American consumers. Refer to the banner below for a full list of at-risk Android devices discovered by Kryptowire. Administrators with affected devices being active in their ecosystems are advised to take immediate action to mitigate the risk of having their users compromised as it's currently unclear whether any of the listed manufacturers will be addressing the discovered vulnerabilities in the immediate future.