Odds are you have a smartphone. And, since Android has the largest share of the smartphone market in the U.S., that smartphone probably uses Android. If so, you may be particularly interested in new research from North Carolina State University (NCSU) finding that some smartphones with the Android operating system have additional features that hackers can use to bypass Android’s security features.
The problem doesn’t seem to lie directly with Google’s Android software, but rather with certain phone models that come pre-loaded apps that are vulnerable to attacks by hackers.
“Some of these pre-loaded applications, or features, are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages,” says Dr. Xuxian Jiang, assistant professor of computer science at NC State and co-author of a paper describing the research. “The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential ‘backdoors’ that can be used to give third-parties direct access to personal information or other phone features.”
Hackers can trick these pre-loaded apps. For example, “backdoors” can be used to record your phone calls, send text messages to premium numbers that will charge your account, or even completely wipe out all of your settings.
Some smartphones were less vulnerable than others. For instance, the Motorola Droid and two “reference implementations” loaded only with the baseline Android software “were basically clean.” “No problems there,” said Dr. Jiang.
Five other models, however, had “significant vulnerabilities.” These included:
- HTC Legend
- HTC EVO 4G
- HTC Wildfire S
- Motorola Droid X
- Samsung Epic 4G
“If you have one of these phones, your best bet to protect yourself moving forward is to make sure you accept security updates from your vendor,” Jiang says. “And avoid installing any apps that you don’t trust completely.”
The researchers notified smartphone manufacturers of the vulnerabilities they detected earlier this year. Researchers now plan to test these vulnerabilities in other smartphone models and determine whether third-party firmware has similar vulnerabilities.
The National Science Foundation and the U.S. Army Research Office supported the research.
The full paper, co-authored by Jiang and NCSU Ph.D. students Michael Grace, Yajin Zhou and Zhi Wang, is available here.