Kryptowire, a security company that has developed an automated mobile vulnerability discovery and exploit generation engine and is a participant in the U.S. Department of Homeland Security (DHS) mobile security research and development program, has revealed a total of 146 new vulnerabilities impacting Android device users. That number alone is significant enough to make the average Android user shudder, but it gets worse: these vulnerabilities don't require the user to download a malicious app, they are already on the smartphone itself when you purchase it. The research which focused on preinstalled software across a total of 29 Android smartphone vendors, including Asus, Samsung, Sony, and Xiaomi, is of particular concern as, according to Kryptowire, the vulnerabilities are so hard to remove. Here's what you need to know.

What did the Kryptowire vulnerability research entail?

On the basis that manual penetration testing is cumbersome and costly when applied within the mobile device ecosystem, Kryptowire developed an automated mobile vulnerability discovery and exploit generation engine. This tool not only enables Kryptowire researchers to scan Android device firmware without a need to have the physical device itself but also automatically creates a proof of concept exploits. That's important in terms of vulnerability validation and makes false positives a lot less likely.

The Kryptowire researchers tasked themselves with quantifying the exposure of Android users to the problem of vulnerabilities within preinstalled apps and firmware on their devices. To do so, they analyzed devices ranging from entry-level to flagship from Android vendors great and small. "Our primary focus was exposing pre-positioned threats on Android devices sold by United States carriers," the research report stated, "although our results affect devices worldwide." These devices included the Asus ZenFone, Samsung A3, A5, A7, A8+, J3, J4, J5, J6, J7, S7, S7 Edge, Sony Xperia Touch, Xiaomi Redmi 5, Redmi 6 Pro, and Mi Note 6 amongst many others from little known vendors. In all, millions of users could be impacted by the vulnerabilities that have been simultaneously disclosed.

Future of Kryptowire:

  • Runs automated analyses on all your users’ Android and iOS mobile apps without requiring access to the source code.
  • Continuously assesses the security of all enterprise mobile apps and devices against the highest internationally-recognized software assurance standards published by the National Institute of Standards and Technologies (NIST), National Information Assurance Partnership (NIAP), and the OWASP Top Mobile Security Risks.
  • Tests the security of every mobile app, on every mobile device, for every enterprise employee, using the latest mobile threat intelligence.
  • Provides pass/fail evidence down to the line of code to assure transparent and high-confidence results.
  • Enables proactive remediation that includes whitelisting or blacklisting applications, notifying the end-user, or even removing non-compliant assets to protect enterprise resources and data.
  • Enforces compliance with HIPAA, PCI, GDRP, and custom enterprise-wide privacy and security policies.
  • Kryptowire offers both cloud-based (SaaS) and secure on-premise appliance solutions.
  • Integration with the leading mobile device management (MDM) solutions for automated remediation of mobile app threats.
  • And much more.

What Android vulnerabilities were disclosed?

So what did Kryptowire discover when it scanned devices from a total of 29 smartphone vendors for unsafe states earlier this year? The report breaks these down by vulnerability type, with system properties modification being the most common and representing 28.1% of the vulnerabilities found, followed by app installation (23.3%), command execution (20.5%), and wireless settings modification (17.8%) audio recording (5.5%) and dynamic code loading (4.1%). According to a TechCrunch report, while some of these vulnerabilities are limited to the supply chain as they require another preinstalled app to trigger them, others are broader in scope as they can apparently be triggered by user-installed apps.


How serious are these Android vulnerabilities?

The Kryptowire CEO, Angelos Stavrou, told Wired: "If the problem lies within the device, that means the user has no options. Because the code is deeply buried in the system, in most cases, the user cannot do anything to remove the offending functionality." This is particularly true of those vulnerabilities that reside in preinstalled, system-level functionality. That same Wired report quotes a Samsung spokesperson as saying: "Since being notified by Kryptowire, we have promptly investigated the apps in question and have determined that appropriate protections are already in place." That statement applies to the four preinstalled apps that were developed by Samsung itself, the remaining two apps were developed by third-parties, and Samsung pointed the researchers in their direction. In total, some 33 vulnerabilities were found by Kryptowire across the Samsung devices.



Third-party applications are often preinstalled on Android smartphones, including those developing code for device functionality and carriers with an interest in messaging, for example. Stavrou told CNET, "Google can demand more thorough code analysis and vendor responsibility for their software products that enter the Android ecosystems." Google, meanwhile, does employ its own firmware vulnerability scanning solution called the Build Test Suite (BTS) and this prevented 242 firmware builds with potentially harmful applications from entering the Android device ecosystem in 2018. As far as the Kryptowire research is concerned, Google issued the following statement: "We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these."

What can Android users do about it?

"Ideally, people should only have apps on their devices that they have downloaded and installed themselves," Jake Moore, a cybersecurity specialist at security vendor ESET, says, "in a perfect world, we would know exactly what each app on our phone does." Of course, the problem with the vulnerabilities found by Kryptowire is that they were in preinstalled apps and device firmware. Nonetheless, Moore says that it's "a good idea to delete any app that you don't use, and that goes for those apps you may have once downloaded a long time ago that you don't use anymore." Beyond that, Android users are only left with the option of trusting that the device vendors will always protect them from potential harm. Everything from the recent , twice, of the Samsung Galaxy S10 through to the vulnerabilities for 40 million Galaxy and Note users or the Qualcomm 'TrustZone' vulnerabilities, would suggest this is a less than ideal position to be in.

About us

Jumpstarted by the Defense Advanced Research Projects Agency (DARPA) and vetted by the US military, law enforcement, and intelligence agencies, Kryptowire provides software assurance tools for mobile application developers, analysts, enterprises, and telecommunication carriers. Kryptowire was founded in 2011 and has grown organically with a customer base ranging from major financial institutions to national telecommunications companies.

Additional information

VE Violation Manufacturer Model Status Package Name App Version Code App Version Name OS Version

CVE-2019-15357 System Properties Modification Advan i6A Exploitable by local app com.mediatek.wfo.impl 8.1

CVE-2019-15383 System Properties Modification Allview X5 Exploitable by local app com.mediatek.wfo.impl 8.1

CVE-2019-15387 Wireless Settings Modification Archos Core 101 Exploitable by local app com.roco.autogen 1 1 8.1

CVE-2019-15391 System Properties Modification Asus ASUS_X00LD Exploitable by local app com.log.logservice 1 1 8.1.0

CVE-2019-15392 System Properties Modification Asus ASUS_X00TD Exploitable by local app com.log.logservice 1 1

CVE-2019-15393 Wireless Settings Modification Asus ZenFone Live Exploitable by local app com.asus.atd.smmitest 1 1 7.1.1

CVE-2019-15394 Wireless Settings Modification Asus ZenFone 5 Selfie Exploitable by local app com.asus.atd.smmitest 1 1 7.1.1

CVE-2019-15395 Command Execution Asus ZenFone 3s Max Exploitable by system or signature app com.asus.loguploaderproxy 1570000015 7

CVE-2019-15396 Command Execution Asus ZenFone 3 Exploitable by system or signature app com.asus.loguploaderproxy 1570000015 7

CVE-2019-15397 Command Execution Asus ZenFone Max 4 Exploitable by system or signature app com.asus.loguploaderproxy 1570000020 7.1.1