Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

The Security of Your Android Device May Depend on Where You Live

Region-specific Default Configurations and Settings for Android Devices Cause Varied Security Posture for Mobile Users

Region-specific Default Configurations and Settings for Android Devices Cause Varied Security Posture for Mobile Users

Over the last few years, security researchers have been able to crack various Android phones during Pwn2Own hacking competitions. Now one firm has collected its research and finds a potentially significant global problem: Android security may be dependent on the country of use.

One problem is the open and global nature of the Android operating system. Handset manufacturers seek to differentiate themselves and gain a competitive edge over other manufacturers by adding their own proprietary apps to the default Android device — sometimes known as bloatware. “Specifically,” commented F-Secure UK director of research James Loureiro, “we have seen devices that come with over 100 applications added by the vendor, introducing a significant attack surface that changes by region.”

Android Security At Mobile Pwn2Own 2017, F-Secure used vulnerabilities in the proprietary Huawei apps HiApp and Read to compromise the Huawei Mate 9 Pro.

Just as concerning is the absence of the official Google Play app store in some regions. China, where access to Google Play is banned, is a good example. Both Xiaomi and Huawei have been forced to develop their own dedicated app stores. F-Secure’s researchers found multiple vulnerabilities in the Huawei AppGallery that could be exploited to create a beachhead for additional attacks. “Following this initial compromise,” say the researchers, “an attacker could use additional vulnerabilities the researchers discovered in Huawei iReader to execute code and steal data from the device.”

A similar situation exists with Xiaomi’s GetApps store, where vulnerabilities allowed an attacker to gain full control of the device. The research demonstrated that an attacker could compromise the Xiaomi’s Mi 9’s default configuration for China, India, Russia, and possibly other countries — it would simply require socially engineering the user to visit a website controlled by the attacker. In fact, a similar attack could be conducted via attacker-controlled NFC tags. Both attacks give the attacker the necessary access to steal data or install malware.

The security problems are not limited to bloatware and proprietary app stores. F-Secure discovered that the Samsung Galaxy S9 behaves differently depending on the geographical location of the SIM card manufacture. The device detects the Mobile Country Code (MCC) used by the SIM card — and some apps adjust their behavior if they detect a Chinese MCC (460).

F-Secure discovered that if the Galaxy S9 detects the Chinese SIM, the affected component accepts unencrypted updates — making it susceptible to man-in-the-middle attacks. A successful MitM attack would give the attacker full control of the device.

The attacks discovered by F-Secure could be used indiscriminately for mass compromise, or could be targeted at individuals while providing limited acknowledgement to the user that there might be a problem. At one level, this is philosophically unacceptable — users deserve an equal level of high security regardless of where they live or the phone they use.

Advertisement. Scroll to continue reading.

At other levels, although all the discovered vulnerabilities have since been patched, nevertheless, the F-Secure research still raises additional questions that need to be considered. Given the number of different Android handsets manufactured around the world, the problem is likely to be far greater than just the few handsets researched by F-Secure. Nor should large organizations dismiss the problem as a local foreign issue. 

“Our research has given us a glimpse of just how problematic the proliferation of custom-Android builds can be from security perspective,” comments F-Secure senior security researcher Mark Barnes. “And it’s really important to raise awareness of this amongst device vendors, but also large organizations with operations in several different regions.”

But there is another issue that also needs to be considered. China seems to be the epicenter of the issues discovered by F-Secure, and wherever China is involved, geopolitics must be considered. F-Secure raises this. “It is unclear,” says the firm, “if these [vulnerabilities] are being actively exploited; more likely, these are vulnerabilities left in due to carelessness by the developers. However, it does raise interesting questions about the relationship between a particular handset’s security and the region it’s used in.”

That ‘relationship’ is particularly relevant given the occurrence of Huawei in the research, and the ongoing concern over the relationship between Huawei and the Chinese government. Although last year’s NCSC report on Huawei telecommunications equipment found no backdoors, it did comment that vulnerabilities could lead to future abuse. 

An alternative term for carelessness could be ‘technical negligence’. Talking to SecurityWeek in January 2020, ex-intelligence community employee and now co-founder and CTO at SaltStack Thomas Hatch explained that technical negligence is a tool used by intelligence services over and above straightforward backdoors. Technical negligence can be used as necessary in the future by state actors who may know where the negligence exists. “This,” he said, “poses a legitimate security risk that cannot be reasonably mitigated.”

Related: Bug Hunters Hack Samsung Galaxy S10, Xiaomi Mi9 at Pwn2Own 

Related: UK Set to Scale Back Huawei Role in 5G Network: Report 

Related: Many Potential Backdoors Found in Huawei Equipment

Related: Google Blocks Xiaomi Integrations Over Privacy Concerns

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.