Researchers Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveedy and XiaoFeng Wang discovered vulnerabilities in customized Android firmware created by various device makers. The discovery shows that many OEMs create numerous vulnerabilities in Android software as they try to add new features or change core functionality of the Google-developed "stock" Android.
The researchers mainly focused on vulnerabilities found in customized device drivers by using a tool of their own creation called "ADDICTED." The tool works in the following manner:
“ADDICTED performs dynamic analysis to correlate the operations on a security-sensitive device to its related Linux files, and then determines whether those files are under-protected on the Linux layer by comparing them with their counterparts on an official Android OS. In this way, we can detect a set of likely security flaws on the phone," said the researchers in their published abstract.
The researchers used the tool on three popular phones from Samsung and found that they could use the discovered vulnerabilities to take unauthorized pictures and screenshots, and even record the typed keys on the virtual keyboards.
Some of the flaws were found to exist on over 100 smartphone models and affected millions of users. The researchers also verified the security settings of device files on 2,423 factory images, and more than 1,000 of them were vulnerable. They reported the vulnerabilities to the affected companies before publishing their paper.
Another group of researchers also working on analyzing various Android firmware customizations share the previous group's findings, that customizations increase the attack surface and make the devices more vulnerable.
“By using different indicators and techniques, we showed that attack surface and information permeability are consistently worse on customized devices, as the addition of customization packages increases both the number of protected resources and the number of packages accessing those resources, violating both the 'least privileges' and the 'minimal trusted computing base' paradigms. At the very least, it increases misuse and creates a more complex environment which can mask problems and is more difficult to analyse," concluded the paper.
Many OEMs try to add as many features as possible on top of stock Android in order to differentiate from each other. Sometimes those features might not be implemented with security in mind, which could then make the devices more vulnerable to attacks and malware.
The device makers also often pre-install multiple third party apps (sometimes called "bloatware") on their phones, which can raise the level of risk for these devices.
If OEMs are going to customize Android smartphones to such a high degree, then they should at least consider the security implications for each new feature or app that they are adding to the devices they are selling for hundreds of dollars to their customers.