At least 22 cellphone models using the Android platform had bugs that allowed the devices to be unknowingly hacked, according to Department of Homeland Security-backed research. The vulnerable devices are made by some of the largest cellphone manufacturing companies in the world, including Oppo, LG and Vivo.

Millions of phones were vulnerable across the world and it is unclear how many devices have been patched.

The flaws discovered by Kryptowire, a mobile security company based in Virginia, can make two-factor authentication and passwords seemingly useless.

On the G6 phone manufactured by LG, users could be locked out of their device and have their command history stolen. On the V7 phone manufactured by Vivo, a hacker could record the screen. And on the F5 phone manufactured by Oppo, an attacker could secretly record audio and take over the phone.

To execute most of the flaws, all a hacker needed to do is install an application on the device or alter an existing one, according to the research. That process could be accomplished through a simple phishing attack or remote exploit.

Nokia, Sony and ZTE also have vulnerable phones, the researchers said.

There was no way customers could have stopped the flaws. Instead, the vulnerabilities were manufactured into phones and existed before they were ever touched by a customer.

The research was officially presented by Kryptowire’s Ryan Johnson and Angelos Stavrou at the DEF CON conference in Las Vegas Aug. 10, but Fifth Domain had previously reported on the vulnerabilities.

The bugs are a reminder that the electronic devices which have become so essential to human life may not be entirely secure.

Manufacturers were notified of the flaws as early as February, Stavrou, the founder of Kryptowire, told Fifth Domain Aug. 7. However, because some manufacturers did not publish their vulnerability disclosure process, Kryptowire was not initially sure if the device makers had received the warnings because the researchers did not receive a reply, Stavrou said. All the manufacturers with flaws discovered by Kryptowire are now aware of the vulnerabilities, although it does not appear they are all patched.

Andrew Elliot, a spokesman for Chinese telecommunications firm ZTE, told Fifth Domain in an email Aug. 9 that the company “has already delivered and/or is working with carriers” to fix the vulnerabilities. Asked when all the flawed phones would be patched, Elliot said “upon carrier approval processes.”

Johnson and Stavrou said during their presentation that Kryptowire had not tested every Android device, or even each phone from manufacturers where vulnerabilities were found. They hinted more flaws would be announced.

The research was supported by the DHS Science and Technology Directorate.

The Android operating platform is run by Google, who did not immediately respond to questions from Fifth Domain.

In 2017, Google announced that Android had more than 2 billion monthly users.

Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.

Share:
More In