Android handsets found to have region-specific security issues
Android is the most popular smartphone OS, but new research suggests that its security landscape is fragmented due to region-specific issues that affect users in some countries but not others.
Researchers at F-Secure examined devices including the Huawei Mate 9 Pro, the Samsung Galaxy S9, and the Xiaomi Mi 9 to understand the exploitation process for vulnerabilities and configuration issues, as well as the impact, and found it varies from device to device.
"Devices which share the same brand are assumed to run the same, irrespective of where you are in the world -- however, the customization done by third party vendors such as Samsung, Huawei and Xiaomi can leave these devices with significantly poor security dependent on what region a device is setup in or the SIM card inside of it," says F-Secure Consulting's UK director of research James Loureiro. "Specifically, we have seen devices that come with over 100 applications added by the vendor, introducing a significant attack surface that changes by region."
As an example, the Samsung Galaxy S9 detects the region that the SIM card is operating in, which influences how the device behaves. F-Secure Consulting found that they could exploit an application to take full control of the device when the Samsung device's code detected a Chinese SIM card, but not with SIM cards from other countries.
Research conducted on Xiaomi and Huawei phones reveals similar issues. In both cases, the researchers were able to compromise the devices due to region-specific settings (China for the Huawei Mate 9 Pro, and China, Russia, India, and others for the Xiaomi Mi 9).
"Finding problems like these on multiple well-known handsets shows this is an area that the security community needs to look at more carefully," F-Secure Consulting's senior security researcher Mark Barnes says. "Our research has given us a glimpse of just how problematic the proliferation of custom-Android builds can be from security perspective. And it's really important to raise awareness of this amongst device vendors, but also large organizations with operations in several different regions."
You can read more about the research on the F-Secure blog.