Features included in some off-the-shelf Android phones contain dangerous vulnerabilities that leave the devices susceptible to infiltration.
The gaps also potentially enabled attackers to bypass security mechanisms and wipe users' data or record conversations, according to US researchers at North Carolina State University.
Android phones from leading manufacturers – including HTC, Motorola and Samsung – contain pre-loaded applications that do not properly enforce the platform's permission-based security model, designed to require each app to explicitly request permission from the user to access personal information and phone features.
The affected apps were designed to make the smartphones more user friendly and can be exploited by hackers to access and erase user data, send text messages to costly premium-rate numbers or even record a user's conversations, according to a research paper describing the issues.
“The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential backdoors that can be used to give third-parties direct access to personal information or other phone features,” Xuxian Jiang, an assistant professor of computer science at NC State and co-author of the research paper, said in a news release.
The researchers developed a tool, called Woodpecker, to identify these so-called “capability leaks,” or situations where an app can gain permission without actually requesting it. They tested eight different smartphone models, including two loaded only with Google's baseline Android software, meaning there were no additional apps loaded.
Both of those did not contain the flaw. Five other models, however, had “significant vulnerabilities,” including HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G, each of which contained multiple capability leaks. The EVO 4G was found to be most vulnerable.
“We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today,” the report stated.
The affected vendors were informed about the issues earlier this year. According to the research paper, Motorola and Google have confirmed the reported vulnerabilities in the affected phones. HTC and Samsung, however, have been “really slow” in responding to the revelations.
Representatives from HTC, Motorola and Samsung did not immediately respond when contacted by SCMagazineUS.com.
Amit Sinha, CTO at security firm Zscaler said managing the security of Android devices will likely become even more challenging in the future.
“Android is a complex ecosystem with Google providing the [operating system], device manufacturers adding enhancements, and app developers that do not have to go through a validation process,” he said.
This is not the first time security flaws have been discovered in Android devices. In October, researcher Trevor Eckhart disclosed a bug affecting certain HTC Android devices that could give any internet-connected application access to users' personal data. HTC has since pushed out a fix.