Android phones from leading manufacturers – including HTC, Motorola and Samsung – contain pre-loaded applications that do not properly enforce the platform's permission-based security model, designed to require each app to explicitly request permission from the user to access personal information and phone features.
The affected apps, which, ironically, were designed to make the smartphones more user friendly, can be exploited by hackers to access and erase user data, send text messages to costly premium-rate numbers or even record a user's conversations, according to a research paper describing the issues.
“The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential backdoors that can be used to give third-parties direct access to personal information or other phone features,” Xuxian Jiang, an assistant professor of computer science at NC State and co-author of the research paper, said in a news release.
The researchers developed a tool, called Woodpecker, to identify these so-called “capability leaks,” or situations where an app can gain permission without actually requesting it. They tested eight different smartphone models, including two loaded only with Google's baseline Android software, meaning there were no additional apps loaded.
Both of those did not contain the flaw. Five other models, however, had “significant vulnerabilities,” including HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G, each of which contained multiple capability leaks. The EVO 4G was found to be most vulnerable.
“We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today,” the report stated.
The affected vendors were informed about the issues earlier this year. According to the research paper, Motorola and Google have confirmed the reported vulnerabilities in the affected phones. HTC and Samsung, however, have been “really slow” in responding to the revelations.
Representatives from HTC, Motorola and Samsung did not immediately respond when contacted by SCMagazineUS.com on Friday.
Amit Sinha, CTO at security firm Zscaler, said in a statement sent to SCMagazineUS.com on Thursday that managing the security of Android devices will likely become even more challenging in the future.
“Android is a complex ecosystem with Google providing the [operating system], device manufacturers adding enhancements, and app developers that do not have to go through a validation process,” he said.
This is not the first time security flaws have been discovered in Android devices. In October, researcher Trevor Eckhart disclosed a bug affecting certain HTC Android devices that could give any internet-connected application access to users' personal data. HTC has since pushed out a fix.