It’s one thing to discover you’ve installed malware on your phone while sideloading an app that you thought it was safe to use, and quite another to find out that your phone shipped with preloaded vulnerabilities that would allow third-parties to spy on you. Yet it happens.
What’s more disturbing is that some of the well-known Android vendors out there include preloaded security issues, according to a discovery.
Researchers from Kryptowire discovered some 38 vulnerabilities in preloaded apps that reside in the firmware builds of 25 Android handsets, including 11 models that are sold in the States.
According to ZDNet, the list of Android vendors affected includes Asus, Essential, LG, Nokia, Sony, and ZTE.
For example, in the Asus ZenFone 3 Max, attackers could use a flawed preinstalled app to access system data and Wi-Fi passwords. It’s also possible to execute code through a wireless connection.
The Essential phone, meanwhile, comes with a preinstalled app that would allow any app to wipe all user data via a factory reset.
The LG G6 packs a bunch of issues itself, including a vulnerability that can lock a user out of their phone and force the user to do a factory reset in recovery mode. The same phone can be used to gain the kernel log.
The Nokia 6 and the Sony Xperia L1 come with issues that would allow attackers to capture screenshots quietly.
The ZTE ZMAX Pro allow hackers to steal text messages, and even edit or send them without your knowledge.
The security researchers have notified all manufacturers as well as Google. Android vendors including Asus, Essential, and LG have either deployed fixes or will do it. Meanwhile, Google explained that the issues do not affect the Android operating system, but the “third-party code and applications on devices.” Google is working with Kryptowire to address the issue.
If you own one of the phones mentioned above, make sure you install the latest updates, and, if you’re worried about your data, contact the manufacturer for more information.
UPDATE: Nokia reached out to BGR to confirm that one phone did have a vulnerability on an old software version, which HMD Global found and patched during routine testing. Kryptowire was in touch with the company to confirm the fix.