These popular Android phones came with vulnerabilities pre-installed

Security flaws included, no assembly required.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
El panel de la pantalla del Essential Phone

Security researchers from Kryptowire said they discovered 38 vulnerabilities on 25 Android phones, all of which were on pre-installed apps. 

Juan Garzón/CNET

Keeping your phone safe from malicious apps is hard enough, with Google stamping out hundreds of thousands of bad apps every year.

Your phone makes for an attractive target. Apps open up a lot of access to your devices, reaching into your contacts, your location, your data usage, among the many private details you share with your phone.

So you can imagine how challenging it becomes when there's apps with security vulnerabilities that come pre-installed on multiple Android phones.

Security researchers from Kryptowire, a security firm, found 38 different vulnerabilities that can allow for spying and factory resets loaded onto 25 Android phones -- 11 of them sold by major US carriers. That includes devices from Asus, ZTE, LG and the Essential Phone, which are distributed by carriers like Verizon or AT&T.

The vulnerabilities are just the latest blow to Android, which suffers from the perception that it's a less secure mobile platform than Apple's iOS. Google has worked to repair its image, forcing security updates for vendors and pushing out malicious apps, but these kinds of revelations don't help. It's also a reminder that consumers need to be more vigilant when it comes to protecting the info on their mobile devices.

Angelos Stavrou, Kryptowire's CEO, and Ryan Johnson, the firm's director of research, disclosed their findings at the DEFCON hacker conference on Friday.

"All of these are vulnerabilities that are prepositioned. They come as you get the phone out the box," Stavrou said. "That's important because consumers think they're only exposed if they download something that's bad."

An Essential spokeswoman said the company fixed these issues once Kryptowire reached out to them.  An LG spokesman said the company has been introducing security patches to fix the vulnerabilities. 

"ASUS is aware of the recent ZenFone security concerns raised and is working diligently and swiftly to resolve them with software updates that will be distributed over-the-air to our ZenFone users, " an ASUS spokesman said in a statement. 

AT&T said it's deployed patches to address the issue.

ZTE did not respond to a request for comment. Verizon also did not respond to a request for comment.

"The issues they have outlined do not affect the Android operating system itself, but rather, third party code and applications on devices. Together with Kryptowire, we have reached out to affected Android partners to address these issues," a Google spokesperson said in a statement.

Defect on Arrival

Hackers could potentially exploit the pre-installed vulnerabilities, to record screens, take screenshots, brick or factory reset a device, or steal private information by getting a victim to download a malicious app, Johnson said. They could also potentially get logs of what a person was typing, reading and who they're in touch with.

Considering that thousands of people fall for malicious apps that pose as harmless tools like a flashlight or popular games like Fortnite, getting people to download the right kind of malicious app isn't difficult, he noted.

While most apps can't get access to protected files, they can use these pre-installed apps' flaws as openings to get in, Johnson said in an interview prior to DEFCON.

Part of the problem is that phone makers have free reign to put whatever apps they'd like on the devices they're selling. While Google is able to patrol its Play Store and block malware or apps with security flaws, they don't have much control on what comes packaged on devices, the researchers said.

"Any vendor can create an Android build," Johnson said. "Some of those pre-installed apps may not get the scrutiny of something that Google creates with their own apps."

Variety of vulnerabilities

Because there's so many different phone makers out there for Android devices, it's hard for Google and researchers to keep track of all of the pre-installed apps, Johnson said. Some vendors do better jobs than others by making sure its pre-installed apps are secure.

The vulnerabilities are different across phones, because they all have different pre-installed apps, Kryptowire's researchers said.

Some are severe, like the Essential Phone, which had a vulnerability allowing an attacker to pull off a factory reset. The flaw comes thanks to a pre-installed app with a file name "com.ts.android.hiddenmenu." Any app on the device could access that pre-installed app, and use it to reach the Essential Phone's system and wipe out all the data stored on it, Stavrou said.

Other vulnerabilities, like the ones on ASUS's ZenFone 3 Max, allow for apps to install any other app over the internet, obtain Wi-Fi passwords, set up keyloggers, intercept text messages and make phone calls. This was also on the ZenFone V and ZenFone 4 Max and Max Pro, according to the researchers.

There could be more out there, the researchers noted, considering that they haven't looked at every single Android device available. With more than 24,000 different types of Android devices logged in 2015, it'd be a monumental task to run vulnerability scans on every single one.

"As an end user, there's not much you can do," Stavrou said. "Someone would have to scan and analyze your firmware and find the vulnerabilities."