As more and more original equipment manufacturers, or OEMs, turn to the practice of customizing their Android version, millions of users are increasingly exposed to malicious attacks.
Many OEMs are in the habit of omitting the necessary security procedures before shipping their products to retail shelves, researchers at the Indiana University, Bloomington and University of Illinois at Urbana-Champaign concluded.
The researchers were able to disclose the vulnerabilities when they began to run a custom tool, which they called Addicted, on the big brands in the mobile universe that run the Android operating system as part of their group study that aimed to unearth security issues that might have been omitted by the OEMs’ security radar.
And indeed a number of security flaws have been uprooted, which underscores the companies’ reckless practice of rolling out mobile phones without making sure they are secured from potential hacks. Addicted, by the way, is a tool used for detecting certain flaws in devices. It was developed by the researchers themselves.
The vulnerabilities in question are said to grant certain apps the authority to capture images and keep log of a user’s key input on the screen. The flaws have been discovered to affect hundreds of Android device models and millions of users as a consequence.
At the core of the problem is the rapid turnout of mobile devices from production lines every year. As a result, OEMs are forced to constantly customize Android to suit their hardware upgrades or alterations, therefore compromising security in the process when they would alter Android’s Linux device drivers for NFC, camera, connectivity, among others.
More specifically, the researchers leveraged the detection capabilities of Addicted to identify the flaws in a number of Samsung models. Then they created an end-to-end method of attack to permit an unauthorized app to capture screenshots and photos.
What exactly is the side effect of OS customization? The Android Open Source Project code is used to review the entire customization process. This code is being overseen by the OEM. But it appears some OEMs have a poor oversight of the AOSP. Consequently, a number of bugs emanate from the OEM customizations.
But it is only the tip of the iceberg. The Linux ecosystem itself contains several device files that are hard to detect for security flaws. That calls for further work in order to gain insights into how to secure resources embedded in various Android layers, and most especially to protect resources in customized Android platforms.