Buying new Android devices won't guarantee a safe and secure experience, according to Kryptowire, which recently published a report showing 146 security flaws found across a number of brands. Those are referred to as Common Vulnerabilities and Exposures (CVEs) by Kryptowire, which is a general cataloging term used as vulnerabilities are discovered.
The overwhelming majority of those security threats were found in relatively budget-minded brands. But the researchers at Kryptowire also found an alarming number of vulnerabilities in smartphones sold by brands such as Samsung and ASUS.
For clarity, every vulnerability didn't exist on all 29 smartphone brands or vendors examined. But more vulnerabilities existed on brand new Samsung and ASUS devices than on others. The devices were also those that contained problems directly out-of-the-box. That means that users were buying smartphones and some of the most popular brands with vulnerabilities already built-in. The figures also only relate to discoveries made in 2019 and related devices.
What are the security flaws and which new devices were they found on?
At current, the researchers haven't provided extra details about precisely how severe the vulnerabilities are. The full list is extensive, covering the full year 2019 so far. But the group has divided those into categories and four, in particular, are larger than others. The largest category is vulnerabilities that would allow for "System Properties Modification" comprised of 41 CVEs and making up 28.1-percent of those found.
Coming in just behind those, 34 CVEs that would allow for "App Installation," accounting for 23.3-percent of the issues discovered. Following that, "Command Execution" CVEs make up 30 of the 146 residing in that category at 20.5-percent. Finally, at a total of 26 CVEs, 17.8-percent of discovered vulnerabilities were flagged as allowing "Wireless Settings Modification."
Kryptowire points out two further differentiators among the vulnerabilities. Summarily, some of the vulnerabilities could be exploited by 'local' apps and others just by System or 'Signature' Apps. Kryptowire generally splits those across each brand with some exceptions.
Only five brands rose above showing a total of 10 CVEs discovered. The largest two, Samsung and ASUS, were primarily exploitable via system or signature apps. In fact, for Samsung, all 33 CVEs were in that category. For ASUS, 20 of the 26 CVEs were similarly classified.
Xiaomi phones have suffered from three of its total fifteen vulnerabilities related to problems with signature apps or system-level apps. For Lava and Tecno, all fourteen and thirteen respectively were vulnerabilities exploitable by "local apps."
The bulk of the remaining phones are comprised of less widely-known brands, primarily from Chinese manufacturers and primarily compromised in terms of "local apps."
Stock Android doesn't seem to be as vulnerable
For the most part, the vulnerabilities don't seem to impact devices running stock or near-stock Android. Instead, the problem appears to be endemic to devices that are running aftermarket software and particularly those that have third-party software installed before delivery to consumers. Because stock devices tend to receive updates more quickly, the problem is also more easily mitigated than on those that are running skins or overlays.
Presumably, the manufacturers discovered by Kryptowire to be delivering problematic devices have since patched the issues, following its report on those vulnerabilities. However, the company has not outlined exactly what the response of those companies has been.