Research finds Android handsets suffer from region-specific security issues
May 2020 by F-Secure
Android dominates the global smart phone market and is used on many of today’s most popular phones. But research from security consultants with cyber security provider F-Secure demonstrates that devices from some of the biggest mobile phone vendors in the world suffer from region-specific security issues that affect users in some countries but not others, resulting in a fragmented landscape of security problems.
Devices examined by the researchers include the Huawei Mate 9 Pro, the Samsung Galaxy S9, and the Xiaomi Mi 9. The exploitation process for the vulnerabilities and configuration issues, as well as the impact, varies from device to device. What makes the discoveries significant is the implication that the security of devices sold globally offer different levels of security to users in different countries. Depending on the way vendor’s configure devices, this can essentially lower security standards for some people but not others.
According to F-Secure Consulting’s UK Director of Research James Loureiro, the presence of these security issues on popular devices expose the significant security challenges caused by the spread of customized Android implementations.
“Devices which share the same brand are assumed to run the same, irrespective of where you are in the world – however, the customization done by third party vendors such as Samsung, Huawei and Xiaomi can leave these devices with significantly poor security dependent on what region a device is setup in or the SIM card inside of it,” said Loureiro. “Specifically, we have seen devices that come with over 100 applications added by the vendor, introducing a significant attack surface that changes by region.”
For example, the Samsung Galaxy S9 detects the region that the SIM card is operating in, which influences how the device behaves. F-Secure Consulting found that they could exploit an application to take full control of the device when the Samsung device’s code detected a Chinese SIM card, but not SIM cards from other countries.
Research conducted on Xiaomi and Huawei mobile phones found similar issues. In both cases, the researchers were able to compromise the devices due to region-specific settings (China for the Huawei Mate 9 Pro, and China, Russia, India, and others for the Xiaomi Mi 9).
F-Secure Consulting discovered the vulnerabilities over the course of several years while conducting research in preparation for Pwn2Own – a bi-annual hacking competition where teams of hackers attempt to compromise various devices through the exploitation of previously undiscovered vulnerabilities (zero-days).
F-Secure Consulting Senior Security Researcher Mark Barnes says these discoveries highlight a new, potentially very insightful, area of vulnerability research.
“Finding problems like these on multiple well-known handsets shows this is an area that the security community needs to look at more carefully,” said Barnes. “Our research has given us a glimpse of just how problematic the proliferation of custom-Android builds can be from security perspective. And it’s really important to raise awareness of this amongst device vendors, but also large organizations with operations in several different regions.”
F-Secure Consulting demonstrated attacks using these vulnerabilities at several different Pwn2Own competitions, and shared their research with the Zero Day Initiative (Pwn2Own’s organizer) and the participating device vendors. All vulnerabilities used in the attacks have been patched.
F-Secure Consulting operates on four continents from 11 different countries. It provides cyber security services tailored to fit the needs of banking, financial services, aviation, shipping, retail, insurance, and other organizations working in highly targeted sectors. More information on F-Secure Consulting is available here.