Researchers from Project Zero, Google’s security taskforce, have discovered that an alarming number of coding vulnerabilities are introduced into Android phones by manufacturers.
Looking specifically at Samsung’s Galaxy S6 Edge handset, researchers discovered 11 “high impact” flaws that could be exploited by attackers for malicious purposes.
In a blog post, Natalie Silvanovich, a member of the Google security team, explained where the majority of the vulnerabilities were located.
“The weak areas seemed to be device drivers and media processing,” she said. “We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short.”
The logic issues affected both the system privileges on the smartphone and the Samsung Email client. By exploiting the flaws, attackers could potentially ensure that system files were written in the wrong locations or forward emails onto another address without permission.
As Android is an open source operating system, checking the additional programming introduced by original equipment manufacturers (OEM) is crucial. As well as introducing new code, the OEMs also decide how often security updates are pushed to consumers and so play a crucial role in ensuring that the Android ecosystem is a safe one.
Google informed Samsung of the security flaws and the most severe were fixed within Google’s 90-day disclosure limit. Of course, the Android code itself can also contain vulnerabilities and so Google operates its own Android Security Rewards Program to encourage security researchers to identify flaws before they can be exploited.