In a new detailed report, security firm Kryptowire revealed 146 different Android vulnerabilities across 29 various OEMs, including Samsung, Asus, Xiaomi, and Sony. Kryptowire discovered these with its in-house automated firmware scanning tools, and most of the affected manufacturers hail from Asia.
The worst part about these vulnerabilities is that every one of them comes on affected devices out of the box. This means users can do nothing in the way of mitigating these issues when they purchase one of these handsets.
What are these Android vulnerabilities?
These Android vulnerabilities cover a wide variety of possible exploits. Some of these include unauthorized audio recording and the ability to modify certain system settings. Some of them exist because of apps preinstalled on the system, while others originate deep within the device’s firmware.
According to Wired, Kryptowire began notifying Google and affected manufacturers this summer. But, not all OEMs agree the findings are that big of a deal. After Kryptowire informed Samsung, it began investigating the issue and believes the appropriate protections are already in place. Kryptowire disagrees with Samsung’s claims and says third-party actors can still gain access to private information on the device without user authorization.
Google has already taken steps toward removing many of the bugs that come preinstalled on Android devices. But no matter how hard Google works to remove vulnerabilities like this in Android, they will never go away unless OEMs work harder to prevent them as well.
Which devices are affected?
Though most affected vendors operate out of Asia, many of these companies ship phones worldwide. Most handsets on the list are mid-range devices, including the Xiaomi Redmi Note 6 Pro, the Sony Xperia XZs, and the Samsung Galaxy A8 Plus. Kryptowire CEO Angelos Stavrou believes these vulnerabilities land on devices when OEMs seek profit over security.
“In the race to create cheap devices, I believe that the quality of software is being eroded in a way that exposes the end user,” Stavrou told Wired.
You can read Kryptowire’s report for yourself at the link below. Even though there is no immediate fix for these vulnerabilities, you should still check if any of them affect your Android device or not.