Vulnerable Out of the Box: An Evaluation of Android Carrier Devices

Conference:  Defcon 26



Presentation on vulnerabilities in Android firmware and platform apps
  • Over 500 firmware were analyzed for vulnerabilities
  • Not all vulnerable devices were disclosed due to limited time and disclosure process
  • Malicious apps can access user data through dynamically registered broadcast receivers
  • Approach to exploit vulnerabilities involves selecting high entropy strings and executing shell scripts
  • Oppo provided firmware patches for vulnerabilities
The presenters demonstrated how a malicious app could access user data by registering a broadcast receiver with a high entropy string and executing shell scripts. They also discussed how Oppo provided firmware patches for vulnerabilities found in their devices.


Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on purchase. This means that the vulnerabilities are present even before the user enables wireless communications and starts installing third-party apps. To quantify the exposure of the Android end-users to vulnerabilities residing within pre-installed apps and firmware, we analyzed a wide range of Android vendors and carriers using devices spanning from low-end to flagship. Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide. We will provide details of vulnerabilities in devices from all four major US carriers, as well two smaller US carriers, among others. The vulnerabilities we discovered on devices offered by the major US carriers are the following: arbitrary command execution as the system user, obtaining the modem logs and logcat logs, wiping all user data from a device (i.e., factory reset), obtaining and modifying a user’s text messages, sending arbitrary text messages, and getting the phone numbers of the user’s contacts, and more. All of the aforementioned capabilities are obtained outside of the normal Android permission model. Including both locked and unlocked devices, we provide details for 37 unique vulnerabilities affecting 25 Android devices with 11 of them being sold by US carriers. In this talk, we will present our framework that is capable of discovering 0-day vulnerabilities from binary firmware images and applications at scale allowing us to continuously monitor devices across different manufacturers and firmware versions. During the talk, we plan to perform a live demo of how our system works.



Post a comment

Related work

Conference:  Defcon 31
Authors: Ryan Johnson Senior Director, R&D at Quokka, Mohamed Elsabagh Senior Director, R&D at Quokka, Angelos Stavrou Founder and Chief Scientist at Quokka

Conference:  Black Hat Asia 2023
Authors: Guangdong Bai, Qing Zhang, Guangshuai Xia

Conference:  BlackHat USA 2021