【2019 Archives】

Don't chuck your Android phone across the room in fear just yet.

A report from the security firm Kryptowire019 Archives via Wired, shows that many Android phones are stunningly vulnerable thanks to Android's open operating system. But while this report is concerning, the real-world threat it poses to actual Android phone users might not be that big of a deal.

Kryptowire analyzed 10 Android devices supported by U.S. carriers, and found that bugs in the firmware — the permanent pre-loaded software responsible for running the phones — left them open to attack by a malicious app.

"Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on purchase," an overview of the report reads.

Kryptowire conducted the study under a grant from the Department of Homeland Security. That's notable because some of the phones it analyzed come from Chinese firm ZTE. The federal government has prohibited military employees from using ZTE and Huawei phones, and the intelligence community has also advised that they could pose a broad national security risk, if used by China to spy on U.S. citizens.

According to Kryptowire, if a ZTE ZMax phone user downloads a malicious app, the app could do everything from gain total control of the phone — sending text messages or wiping it clean — to mine it for user data. Other affected phones came from Vivo, Sony, and Sky, among others.

The vulnerability is what Wireddescribes as a "byproduct" of the Android OS business strategy: it lets third-party companies like ZTE modify the code. That ability to modify, which is what makes Android an attractive OS for phone makers, is also what's responsible for the cracks that might allow a malicious app to take over.

While all this sounds alarming, there's one important thing to remember: Bad actors don't have the ability to exploit these vulnerabilities unless a phone user downloads an app. Apps that go through the Google Play store are subject to stringent review that should prevent a malicious app from even seeing the light of day.

So unless you're already downloading apps directly from their makers, or using a non-Google verified app service, your Android phone *should* be secure. The popular game Fortnite has been in the news because it will be available directly through Epic Games' website.

This has raised all sorts of questions about the merits of an app developer stepping away from Google Play. Doing so allows the developer to skirt around Google's 30 percent cut, but this Kryptowire report reinforces security concerns we were already thinking about. Downloading the street meat of apps already makes you vulnerable, we know that — Kryptowire's revelations just make that possibility a little worse.

Phone makers need to address the issues that Kryptowire brought to light. But fear not, Android users: Chinese hackers probably won't be taking over your phone any time soon.

(Editor: {typename type="name"/})