Region-specific Default Configurations and Settings for Android Devices Cause Varied Security Posture for Mobile Users
Over the last few years, security researchers have been able to crack various Android phones during Pwn2Own hacking competitions. Now one firm has collected its research and finds a potentially significant global problem: Android security may be dependent on the country of use.
One problem is the open and global nature of the Android operating system. Handset manufacturers seek to differentiate themselves and gain a competitive edge over other manufacturers by adding their own proprietary apps to the default Android device — sometimes known as bloatware. “Specifically,” commented F-Secure UK director of research James Loureiro, “we have seen devices that come with over 100 applications added by the vendor, introducing a significant attack surface that changes by region.”
At Mobile Pwn2Own 2017, F-Secure used vulnerabilities in the proprietary Huawei apps HiApp and Read to compromise the Huawei Mate 9 Pro.
Just as concerning is the absence of the official Google Play app store in some regions. China, where access to Google Play is banned, is a good example. Both Xiaomi and Huawei have been forced to develop their own dedicated app stores. F-Secure’s researchers found multiple vulnerabilities in the Huawei AppGallery that could be exploited to create a beachhead for additional attacks. “Following this initial compromise,” say the researchers, “an attacker could use additional vulnerabilities the researchers discovered in Huawei iReader to execute code and steal data from the device.”
A similar situation exists with Xiaomi’s GetApps store, where vulnerabilities allowed an attacker to gain full control of the device. The research demonstrated that an attacker could compromise the Xiaomi’s Mi 9’s default configuration for China, India, Russia, and possibly other countries — it would simply require socially engineering the user to visit a website controlled by the attacker. In fact, a similar attack could be conducted via attacker-controlled NFC tags. Both attacks give the attacker the necessary access to steal data or install malware.
The security problems are not limited to bloatware and proprietary app stores. F-Secure discovered that the Samsung Galaxy S9 behaves differently depending on the geographical location of the SIM card manufacture. The device detects the Mobile Country Code (MCC) used by the SIM card — and some apps adjust their behavior if they detect a Chinese MCC (460).
F-Secure discovered that if the Galaxy S9 detects the Chinese SIM, the affected component accepts unencrypted updates — making it susceptible to man-in-the-middle attacks. A successful MitM attack would give the attacker full control of the device.
The attacks discovered by F-Secure could be used indiscriminately for mass compromise, or could be targeted at individuals while providing limited acknowledgement to the user that there might be a problem. At one level, this is philosophically unacceptable — users deserve an equal level of high security regardless of where they live or the phone they use.
At other levels, although all the discovered vulnerabilities have since been patched, nevertheless, the F-Secure research still raises additional questions that need to be considered. Given the number of different Android handsets manufactured around the world, the problem is likely to be far greater than just the few handsets researched by F-Secure. Nor should large organizations dismiss the problem as a local foreign issue.
“Our research has given us a glimpse of just how problematic the proliferation of custom-Android builds can be from security perspective,” comments F-Secure senior security researcher Mark Barnes. “And it’s really important to raise awareness of this amongst device vendors, but also large organizations with operations in several different regions.”
But there is another issue that also needs to be considered. China seems to be the epicenter of the issues discovered by F-Secure, and wherever China is involved, geopolitics must be considered. F-Secure raises this. “It is unclear,” says the firm, “if these [vulnerabilities] are being actively exploited; more likely, these are vulnerabilities left in due to carelessness by the developers. However, it does raise interesting questions about the relationship between a particular handset’s security and the region it’s used in.”
That ‘relationship’ is particularly relevant given the occurrence of Huawei in the research, and the ongoing concern over the relationship between Huawei and the Chinese government. Although last year’s NCSC report on Huawei telecommunications equipment found no backdoors, it did comment that vulnerabilities could lead to future abuse.
An alternative term for carelessness could be ‘technical negligence’. Talking to SecurityWeek in January 2020, ex-intelligence community employee and now co-founder and CTO at SaltStack Thomas Hatch explained that technical negligence is a tool used by intelligence services over and above straightforward backdoors. Technical negligence can be used as necessary in the future by state actors who may know where the negligence exists. “This,” he said, “poses a legitimate security risk that cannot be reasonably mitigated.”