No big surprise here really, but still disappointing.
Researchers at Def Con last week reported that they had found 47 vulnerabilities in the firmware and default apps of 25 Android phones.
When they talk firmware, I don’t think they really mean firmware. Rather, they mean the operating system like Android Oreo or Nougat, although it is possible that they mean the software that lives below the operating system and controls things like the radio hardware or camera hardware. That stuff is buggy too.
The good news is that the bugs are not serious. All they allow a hacker to do is:
- Send or receive text messages
- Take screenshots of whatever you are looking at
- Record videos of your screen
- Steal your contacts
- Install malware and crimeware without your approval
- Wipe your data
Other than that, not really a big deal.
Just kidding. Holy cow! That pretty much means they can do whatever they want.
Part of the problem are those apps that come preinstalled on your phone because the manufacturer or carrier gets paid to put them there. Affectionately, that software is called crapware. Those are the apps that they will not let you remove. But some of them are vulnerable to attack.
Android phone vendors affected include:
- and a host of smaller players
This does not mean all models were tested or all models were affected.
IT ALSO DOESN’T MEAN THAT BECAUSE YOUR VENDOR ISN’T LISTED IT IS SAFE. THE RESEARCHERS ONLY HAD A LIMITED AMOUNT OF TIME AND MONEY.
Part of the problem is that many of the companies that manufacture phones are used to selling washing machines and headphones – stuff that you do not have to patch. As a result, they are not really culturally ready to deal with a product that releases hundreds of patches a year.
But they need to.
So what should you do?
Some people say “but my phone is not broke, why do I need to get a new one”? That is because, even though it works, after a while, it doesn’t get any patches. That doesn’t mean that researchers won’t find new security holes for the Chinese to exploit to steal your data and try to get you to pay them to give it back. In fact, old phones are the most likely to get attacked because they are the least likely to get patched.
BEFORE you buy any phone, look for the manufacturer’s guarantee of patches. For example, Google is about to release the Pixel 3, but they say they will be issuing patches for the Pixel 2 Until October 2020 – at least. If the manufacturer is cagey about patches and support, choose a different one. Apple calls their unsupported products “Vintage”, but that just is just a cute term for “You are on your own, buddy”. iPhone 4 and older are vintage. Reports indicate that due to less than exciting sales, the iPhone X might see the end of its life as early as this year. That doesn’t mean that they won’t patch it however. They just won’t sell it. The iPhone 5s is the oldest phone that supports iOS 12. Apple does a very nice job of supporting older phones.
See how often your chosen vendor releases software patches. Google and Apple release patches monthly. Some vendors don’t ever release patches and others release them quarterly or less frequently. Long wait for a patch? Find a different vendor.
It is not just the manufacturer you have to worry about, but also all of the apps that you have installed. Less apps is better. Maybe not as much fun, but definitely more secure. Uninstall anything you are not using any more. Really.
I know this is a pain in the tush, but, sorry, you just have to deal with it. iPhones and Google Pixel phones are definitely the best when it comes to timely patches.
Remember that all it takes to get infected is to receive a well crafted malicious email (you don’t have to click on anything), a malicious text or visit a malicious web site. NO. CLICKING. REQUIRED!
Don’t say I didn’t warn you.
Information for this post came from Bleeping Computer.