Security researchers find out-of-the-box vulnerabilities in 29 Android brands

Security research firm Kryptowire has once again made a round-up of vulnerabilities present out of the box in Android phones. It concerns 146 CVEs on devices from 29 different manufacturers.

The phones often come from smaller names such as Lava, Tecno and Coolpad, but big names Asus, Samsung, Sony and Xiaomi are also in the list. The vulnerabilities enable command execution in one in five cases, and nearly a quarter enable the installation of apps. Furthermore, the vulnerabilities open doors for audio recording, changing settings related to the radio and adjusting system settings.

Samsung has 33 vulnerabilities, according to Kryptowire, which arise from six pre-installed applications. Two of those six applications are developed by third parties and Samsung refers the company to those developers, Wired writes, which spoke with Kryptowire and Samsung. As for the other four, Samsung claims that the Android Security Framework will catch the vulnerabilities, but Kryptowire insists that attacks by third parties in the supply chain are still possible.

Asus involves the number five most popular smartphone, Zenfone 4 Max, Samsung involves the Galaxy S7 and many models from the J and A series, and Xiaomi’s second most popular phone from Pricewatch, the Mi A3. , has also been affected.

The fact that these are pre-installed apps often means that they cannot be removed easily. A tweaker would still know how he or she manages to get a system app out of the system, but the average Android user will not succeed.

Wired writes that the research was funded by the US Department of Homeland Security. It is not the first time that Kryptowire has come out with this. A year ago it did the same, then LG and ZTE phones were involved as well.