Enterprise security solutions firm, KryptoWire, has identified 146 vulnerabilities in pre-installed Android apps from as many as 27 vendors. The study, funded by the US Department of Homeland Security (DHS), found the security flaws in a variety of devices, ranging from flagship smartphones to entry-level handsets. According to the report, the vulnerabilities could allow unauthorized actors to modify system settings, install unwanted apps surreptitiously and even record audio without user consent.
The report claims that the errant vendors include some of the biggest and most reputable global names in the world of technology, including Samsung, Asus and Xiaomi. Interestingly, Lava seems to be the only Indian brand on the list otherwise dominated by Chinese firms. Some of these vendors, however, are predictably pushing back at the allegations, with Samsung issuing a statement to Wired, saying: “we have promptly investigated the apps in question and have determined that appropriate protections are already in place”.
Kryptowire, however, disagrees with that assertion, with the company’s VP of product, Tom Karygiannis, saying “The Samsung apps can be used by third-party supply chain actors to gain access to information without disclosing it or requiring permissions”. He further pointed at the security framework of Android itself, saying, “The current design of the Android Security framework does not prevent that from happening today”.
Malware on Android continues to remain a huge problem in spite of a multitude of steps taken by Google to eradicate the issue in recent times. The company recently brought together prominent cyber-security firms ESET, Lookout and Zimperium, under an umbrella organization called the App Defense Alliance to stop “bad apps before they reach users’ devices”. However, as the latest study seems to show, there’s a long way to go before the platform becomes truly safe.