Nearly all Android phones come with useless applications pre-installed by manufacturers or carriers, usually called bloatware, and there’s nothing you can do if any of them has a backdoor built-in—even if you’re careful about avoiding sketchy apps.
That’s exactly what security researchers from mobile security firm Kryptowire demonstrated at the DEF CON security conference on Friday.
Researchers disclosed details of 47 different vulnerabilities deep inside the firmware and default apps (pre-installed and mostly non-removable) of 25 Android handsets that could allow hackers to spy on users and factory reset their devices, putting millions of Android devices at risk of hacking.
At least 11 of those vulnerable smartphones are manufactured by companies including Asus, ZTE, LG, and the Essential Phone, and being distributed by US carriers like Verizon and AT&T.
Other major Android handset brands include Vivo, Sony, Nokia, and Oppo, as well as many smaller manufacturers such as Sky, Leagoo, Plum, Orbic, MXQ, Doogee, Coolpad, and Alcatel.
Some vulnerabilities discovered by researchers could even allow hackers to execute arbitrary commands as the system user, wipe all user data from a device, lock users out of their devices, access device’s microphone and other functions, access all their data, including their emails and messages, read and modify text messages, sending text messages, and more—all without the users’ knowledge.
“All of these are vulnerabilities that are prepositioned. They come as you get the phone out the box,” Kryptowire CEO Angelos Stavrou said in a statement. “That’s important because consumers think they’re only exposed if they download something that’s bad.”
For example, vulnerabilities in Asus ZenFone V Live could allow an entire system takeover, allowing attackers to take screenshots and record user’s screen, make phone calls, spying on text messages, and more.
Kryptowire, whose research was funded by the U.S. Department of Homeland Security, explained that these vulnerabilities stem from the open nature of the Android’s operating system that allows third-parties like device manufacturers and carriers to modify the code and create completely different versions of Android.
Kryptowire is the same security firm that, in late 2016, uncovered a pre-installed backdoor in more than 700 Million Android smartphones that surreptitiously found sending all text messages, call log, contact list, location history, and app data to China every 72 hours.
Kryptowire has responsibly reported the vulnerabilities to Google and the respective affected Android partners, some of which have patched the issues while others are working diligently and swiftly to address these issues with a patch.
However, it should be noted that since the Android operating system itself is not vulnerable to any of the disclosed issues, Google can’t do much about this, as it has no control over the third apps pre-installed by manufacturers and carriers.