Several pieces of research published by F-Secure Labs demonstrate that region-specific default configurations and settings in some flagship Android devices are creating security problems that affect people in some countries but not others.
According to F-Secure Consulting’s UK Director of Research James Loureiro, the research highlights the security compromises vendors can inadvertently make when customizing Android builds.
“Devices which share the same brand are assumed to run the same, irrespective of where you are in the world – however, the customization done by third party vendors such as Samsung, Huawei and Xiaomi can leave these devices with significantly poor security dependent on what region a device is setup in or the SIM card inside of it,” said Loureiro. “Specifically, we have seen devices that come with over 100 applications added by the vendor, introducing a significant attack surface that changes by region.”
From left to right: F-Secure Consulting’s James Loureiro, Mark Barnes, and Toby Drew.
Insecure by default
Vendors often bundle their own apps with the phones. These can offer additional benefits to users that help differentiate vendors’ phones from competitors. But there’s downsides to this. And they can be more significant than providing users with a bunch of extra apps they might never use.
Excessive numbers of apps isn’t good for security. It expands a device’s attack surface by giving attackers more potential targets. After all more features on a gadget are more things that can go wrong. And when these apps are included in the device’s default configuration, vulnerabilities in the apps can cause security problems for the entire device. It’s how Loureiro and his colleagues were able to develop an attack to compromise Huawei’s Mate 9 Pro.
Access to Google Play is banned in China. This forces vendors to offer their own app stores in its place. Huawei devices have a dedicated app store called Huawei AppGallery. F-Secure Consulting’s research found multiple vulnerabilities within Huawei AppGallery that an attacker could exploit to create a beachhead to launch additional attacks. Following this initial compromise, an attacker could use additional vulnerabilities the researchers discovered in Huawei iReader to execute code and steal data from the device.
Some people might be tempted to write this off as a situation isolated to China due to local restrictions. However, research on the Xiaomi Mi 9 shows that it’s not that simple.
By manipulating users (such as through email or SMS messages) into visiting a website controlled by an attacker, F-Secure Consulting’s research demonstrates that it’s possible to compromise the Xiaomi’s Mi 9’s default configuration for China, India, Russia, and possibly other countries. By exploiting vulnerabilities the researchers discovered in Xiaomi’s GetApps store, an attacker could take full control of the device. The same research highlighted a second, similar attack conducted via attacker-controlled NFC tags. Both attacks give adversaries the access they need to steal data or install malware on compromised devices.
SIMs a little fishy
Using a more novel approach, F-Secure’s researchers demonstrated an attack against the Samsung Galaxy S9 that didn’t depend on a setting or configuration of the phone itself. It’s partially based on the way the phone seems to change its behavior for different SIM cards. The Samsung device’s code detects the Mobile Country Code (MCC) used by the SIM card. Some apps adjust their behavior if they detect a Chinese MCC (460). In one case (Samsung’s GameServiceReceiver update mechanism), F-Secure’s researchers learned to use the change to compromise the device.
To perform this attack, an adversary must manipulate an affected Galaxy S9 user into connecting to a Wi-Fi network under their control (such as by masquerading as free public Wi-Fi). If the phone detects a Chinese SIM, the affected component accepts unencrypted updates, allowing an adversary to compromise the device with a man-in-the-middle attack. If successful, the attacker will have full control of the phone.
A tale of two security standards
F-Secure Consulting made the series of discoveries over the past few years while preparing for Pwn2Own hacking competitions. At Pwn2Own, participants compete with one another to compromise selected devices by using previously undisclosed vulnerabilities (zero-days).
However, these vulnerabilities may only be drops in a big bucket of security problems. According to IDC, Android is the world’s biggest operating system for mobile phones. By some measuring sticks, it’s the most popular operating system period.
Because of its overwhelming dominance of the world’s smartphone market, the fragmented landscape of security problems poses significant challenges. F-Secure Consulting Senior Security Consultant Toby Drew, who helped research the Xiaomi Mi 9 attack, fears these regional difference are creating different tiers of security for people in different countries.
“It’s important for vendors to consider the security implications when they’re customizing Android for different regions. People in one region aren’t more or less entitled to security than another. And if you have the same device configured to provide a less secure experience to users in one region compared to another, it’s creating a type of inequality by increasing their exposure to attacks,” says Toby.
F-Secure Consulting Senior Security Researcher Mark Barnes, who also contributed to the Xiaomi Mi 9 research, points out that as the number of customized-Android builds spread, so does the importance of security research.
“Finding problems like these on multiple well-known handsets shows this is an area that the security community needs to look at more carefully,” said Barnes. “Our research has given us a glimpse of just how problematic the proliferation of custom-Android builds can be from security perspective. And it’s really important to raise awareness of this amongst device vendors, but also large organizations with operations in several different regions.”
Advice
F-Secure has received no reports or evidence of these attacks occurring outside of their own research. Vendors of affected products entered into Pwn2Own competitions are invited to attend the event by the organizer, ZDI, to receive details of the vulnerabilities used by participants. Thanks to this controlled disclosure process, Huawei, Xiaomi, and Samsung have patched the vulnerabilities F-Secure discovered during their research. As long as users update their phones, they should be safe from these particular attacks.
Here’s a list of CVE’s and advisories related to the research for anyone that wants to learn more. They can also check out more of the research published on F-Secure Labs:
Huawei Mate 9 Pro
CVE-2018-7931, CVE-2018-7932, CVE-2017-15308, CVE-2017-15309, CVE-2017-15310
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171120-01-hwreader-en
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180423-01-app-en
Samsung Galaxy S9
CVE-2019-6741, CVE-2019-6742
https://security.samsungmobile.com/securityUpdate.smsb (SMR-JAN-2019/SVE-2018-13474)
https://www.zerodayinitiative.com/advisories/ZDI-19-255/
Xiaomi Mi 9
CVE-2020-9530, CVE-2020-9531
Categories