According to the reports reaching us from our sources, Asus, Essential, LG, and ZTE have made promises to patch the security flaws that were found by mobile security firm Kryptowire. The aim of Kryptowire’s research was to call attention to the security meltdowns from codes written by phone companies to modify Android.
Bugs were found in the firmware of 10 separate devices across the main American carriers that saw an early version of the report of Kryptowire. There are many security lapses from letting a hacker lock someone out of their device to controlling their microphone, however, according to Kryptowire, users would have to download a malicious app before capitalizing on the weaknesses within the firmware. This research is funded by the Department of Homeland Security and was presented at the Black Hat USA security conference.
Kryptowire says these vulnerabilities arise from the open nature of Android that lets third-parties to fine-tune the code and modify the interference or create a totally different version of Android. Meanwhile as researchers have noticed, this open nature could lead to gaps in security. Our sources say the research views these flaws as a problem detrimental to Android.
The CEO of Kryptowire, Angelos Stavrou, in a comment said, “A lot of the people in the supply chain want to be able to add their own applications, customize, add their own cod. That increases the attack surface, and increases the probability of software error.”
One of such errors was found in the Asus Zenfone V Live. Our sources report that Kryptowire found sufficient holes in its code to expose users to a complete takeover of their device. Screenshots and video recordings can be taken on their screen and someone may be able to read and change their text messages. Asus stated that it is “aware of the recent security concerns” and that the company is “working diligently and swiftly to resolve them” with a patch.
Essential, LG, and ZTE all informed our sources that they have fixed some or all of these issues. Although we don’t know if these patches have been released to all users.