The open nature of Android allows, among other things, different manufacturers to include your own layer of customization on Google's mobile operating system so that they can differentiate themselves from the competition for the end user. On the other hand, the insecurity in Android It's one of the supposed Achilles' heels that Android has to face from time to time. A weakness for which, according to a recently published study, customizations applied by the manufacturers themselves could play a significant role.
The aforementioned study has been carried out by a team of researchers from North Carolina State University and it is determined that the changes applied by the different manufacturers on the version stock Android could be responsible for more than 60 percent of security problems discovered in the analyzed smartphones – which belong to different operators –.
Some mobile manufacturers do not take Android security "very seriously"
One of the authors of the study, whose work focuses on research into malware on mobile devices, associate professor of Computer Science at the aforementioned American university, Xuxian Jiang, has expressed surprise at “insecurity in general” detected in the analyzed terminals. Similarly, he explained that the constant pressure on manufacturers to launch new models with more and better features and innovations could be the cause for Some brands don't take Android security "very seriously."
The researchers have conducted their study based on 10 smartphones equipped with different versions of Android. Among them are models of Samsung, HTC, LG y Sony; among which are the popular Samsung Galaxy S3 o HTC One X and to which the Nexus S y Nexus 4 - manufactured by Samsung y LG, respectively - which served mainly as frames of reference by having versions stock of the mobile operating system Google.
The Android Security Study Methodology
In order to carry out their study, researchers from North Carolina State University have separated the applications they found on different smartphones into three categories: those belonging to Android, those created or customized by manufacturers and those developed by third parties. After analyzing the data and characteristics of the applications, those responsible for the study have discovered that 86 percent of preloaded apps on smartphones, they ask for more permissions than necessary, and the vast majority of them have been included by manufacturers within their Android customization process. Since they are applications integrated into the operating system, those implemented by different manufacturers have greater permissions than those developed by external programmers; to learn how to manage them, consult how to improve the security of our Android.
Regarding specific data, the study has determined that between 65 and 85 percent of the 177 vulnerabilities detected on smartphones Samsung, LG y HTC originated from the customizations included by the manufacturer, while 38 percent of the 16 security issues found in the devices Sony they came from that same source.
In defense of the manufacturers, Mark Rogers, one of the main researchers at the mobile security software company Lookout, has detailed that the problem of applications with more privileges than necessary It's a common problem among app developers in general, not something specific to manufacturers. In this regard, he explained that "there are quite a few apps that have this problem, which arises when the developer requests as many permissions as possible," even though they aren't going to need them.
Built-in Security and Android Enterprise: How Risk Is Mitigated
Android has strengthened its base with file-based encryption, isolation per user and backup protections. Added to this are the Google services such as Play Protect, which scans apps for malware, and the pre-review of apps on Google Play to reduce malware. In addition, the Compatibility Program (AOSP, CDD, and CTS) requires OEMs to comply security requirements minimum requirements for certifying devices.
In the corporate and in the Business environment, Android Enterprise adds controls that separate personal and work data with the Job profile, strengthens encryption and enables IT to enforce compliance policies. Third-party EMM/MDMs can enforce policies (passwords, feature locks, document restrictions), application management (white/black lists and remote updates), Kiosk Mode to limit usage to authorized apps and remote wipe or lock in case of loss or theft.
It also hardens the network access: use of TLS, Private DNS to prevent leaks, WPA3-Enterprise on Wi‑Fi and VPN blocking mode to prevent traffic outside the corporate tunnel. This reduces the impact of excessive permissions or poorly implemented OEM layers.
Low-cost devices: pre-installed malware, fraud, and deceptive hardware
Very cheap or generic devices may come with pre-installed malware at the firmware level, difficult to detect and almost impossible to remove (for example, Basic browser security hole). These infections allow broad access to the system, silent app installation, data theft, and persistence after resets. Campaigns such as those linked to Triada, Guerrilla or advertising fraud networks have shown that the business behind these devices is to silence the user, monetize their data and degrade their experience.
- advertising fraud: opening ads in the background and installing modules that simulate interaction, causing slowness and consumption of resources.
- Data and account theft: interception of passwords, authentication codes and geolocation, reused for campaigns or crimes.
- Undercover proxies: Activation of a proxy server to hide third-party activities, with possible blockages network.
- Mass account creation: sign up for courier or mail services for spamming and risk of sanctions.
In addition, some models feature fake specifications or poor designs (e.g., promising 4GB of RAM when there is only 2GB), which exacerbates insecurity by preventing updates or running modern protections.
How to buy wisely: choose brands with sustained presence in several countries; check the support section and if they offer downloadable firmware; read technical opinions on forums; check in store if they exist update settings and the Android version; be wary of prices that are a tiny fraction of equivalent models; when you get your new device, updates the system and disable bloatware with abusive permissions; if it supports apps, install one security protection reliable.
Updates, patches and manufacturer obligations
Historically, one of the weak points has been the uneven distribution of patches by OEMs. Initiatives such as Project Treble made it easier to separate layers and speed up integrations, and agreements with manufacturers have tightened the periodic delivery security updates. However, the rollout is not uniform: pixel They usually update earlier, while other OEMs take time to adapt and release the firmware.
Android regularly publishes two patch levels each month (the first and fifth). The second usually includes additional component fixes. These system patches do not come through Google Play, so the speed depends on each manufacturer. In parallel, they appear zero-days in components such as graphics drivers or the kernel, with exploit chains that allow privilege escalation or access to information without user interaction; that is why it is key to install All updates as soon as they are available.
APEX Modules and Test Keys: A Case Study of Risk
A recent example was a vulnerability in the management of APEX modules (upgradable units of system privileged code). Some brands signed modules with AOSP public test keys, which could allow an attacker to replace a module with a counterfeit one and execute code with specific privileges. Researchers attributed the issue to insecure defaults and insufficient documentation in the AOSP configuration, rather than specific negligence.
Potentially affected devices included models such as:
- ASUS Zenfone 9
- Vivo X90 Pro
- Nokia G50
- Microsoft Surface Duo 2
- Lenovo Tab M10 Plus
- NothingPhone (2)
- 5 Fairphone
Exploitation is not trivial, and manufacturers deployed corrective patches (replacing test keys with valid ones and updating modules). If you have one of these devices, it is a good idea to check and install the december security patch and later.
Good practices for users and companies
For users: activate the encryption, use biometric lock and strong password, keep updates a day, employs Private DNS, connect to WPA3 Whenever possible, be wary of APKs outside of Google Play, check permits of apps and consider a solution of mobile security confidence.
For businesses: deploy Android Enterprise with a work profile or corporate ownership, imposes MDM policies (passwords, encryption, USB lock, whitelisting), enables VPN with blocking and certificates, applies Kiosk where appropriate, and use telemetry to detect anomalous behavior. Defines processes of incident response with remote wipe, key rotation, and reprovisioning.
The Android ecosystem combines a solid foundation with risks stemming from OEM layers, patch delays, and insecure devices; understanding where the exposure lies and applying Android Enterprise tools, along with MDM policies and prudent purchasing and usage habits, makes the difference between a large attack surface and a mobile environment. really protected.
