Yes, Android phones are vulnerable to attack. But that might not be as scary as it sounds.
Don’t chuck your Android phone across the room in fear just yet.
A report from the security firm Krypto was, via Wired, shows that many Android phones are stunningly vulnerable thanks to Android’s open operating system. But while this report is concerning, the real-world threat it poses to actual Android phone users might not be that big of a deal.
SEE ALSO: Why ‘Fortnite’ bypassing Google Play could be a security nightmare
Krypto was analyzed 10 Android devices supported by U.S. carriers and found that bugs in the firmware — the permanent pre-loaded software responsible for running the phones — left them open to attack by a malicious app.
“Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on the purchase,” an overview of the report reads.
Krypto has conducted the study under a grant from the Department of Homeland Security. That’s notable because some of the phones it analyzed come from Chinese firm ZTE. The federal government has prohibited military employees from using ZTE and Huawei phones, and the intelligence community has also advised that they could pose a broad national security risk if used by China to spy on U.S. citizens.
According to Krypto were, if a ZTE ZMax phone user downloads a malicious app, the app could do everything from gain total control of the phone — sending text messages or wiping it clean — to mine it for user data. Other affected phones came from Vivo, Sony, and Sky, among others.
The vulnerability is what Wired describes as a “byproduct” of the Android OS business strategy: it lets third-party companies like ZTE modify the code. That ability to modify, which is what makes Android an attractive OS for phone makers, is also what’s responsible for the cracks that might allow a malicious app to take over.
While all this sounds alarming, there’s one important thing to remember: Bad actors don’t have the ability to exploit these vulnerabilities unless a phone user downloads an app. Apps that go through the Google Play store are subject to stringent review that should prevent a malicious app from even seeing the light of day.
So unless you’re already downloading apps directly from their makers, or using a non-Google verified app service, your Android phone *should* be secure. The popular game Fortnite has been in the news because it will be available directly through Epic Games’ website.
This has raised all sorts of questions about the merits of an app developer stepping away from Google Play. Doing so allows the developer to skirt around Google’s 30 percent cut, but this Krypto was reported reinforces security concerns we were already thinking about. Downloading the street meat of apps already makes you vulnerable, we know that — Kryptowire’s revelations just make that possibility a little worse.
Phone makers need to address the issues that Krypto was brought to light. But fear not Android users: Chinese hackers probably won’t be taking over your phone any time soon.
If you would have any questions or concerns, please leave your comments. I would be glad to explain in more details. Thank you so much for all your feedback and support!