Uncovering Security Vulnerabilities in Prepaid Android Smartphones
Quokka's R&D Team Exposes Systemic Weaknesses
- The research and development team at Quokka discovered multiple security vulnerabilities in prepaid Android Smartphones, including instances of arbitrary command execution in privileged processes
- Quokka released Q-Scout 2.0.0 for Android that enables end users to scan their devices and informs them if they are impacted by the discovered vulnerabilities
- Quokka advises manufacturers and consumers to prioritize mobile device security during production and use respectively
August 14, 2023 – McLean, VA, United States – Quokka, Inc., a mobile security and privacy solutions company, released a technical report at DEFCON 31 named Still Vulnerable Out of the Box: Revisiting the Security of Prepaid Android Carrier Devices, detailing their discovery of multiple security vulnerabilities found in 21 prepaid Android smartphones sold by American carriers. The Quokka R&D team examined the local attack surface of the smartphones and uncovered flaws in the preloaded software, that if leveraged can escalate privileges to indirectly perform actions and obtain data without having the necessary permissions to do so. This means that even when an app requests minimal permission levels from its users, it could be exploiting vulnerabilities on the phone itself to illicitly escalate its privileges.
“We found that due to a wide range of local interfaces with missing access control checks and inadequate input validation, a third-party app’s behavior is not truly circumscribed by the permissions that it requests,” said Dr. Ryan Johnson, Sr. Director of R&D at Quokka. “These findings are concerning because they suggest that prepaid Android carrier devices may be vulnerable out of the box.”
To help mitigate the risks associated with the prepaid Android smartphones, Quokka released Q-Scout 2.0.0 for Android that enables end users to scan their devices and informs them if they are impacted by the vulnerabilities discovered by the R&D team. Many of these vulnerabilities are not publicly disclosed yet; therefore, the sole means to identify whether your Android device harbors such vulnerabilities is by utilizing the Q-Scout app.
“Quokka has been working diligently since 2015 to identify and mitigate security risks posed by mobile applications and devices, as well as, IoT devices, we believe it’s our responsibility as an industry leader to keep our customers informed about emerging security risks,” said Dana Waldman, CEO at Quokka. “Our team will continue researching mobile security issues and develop cutting-edge solutions for improved safety and privacy.”
As we become increasingly reliant on our mobile phones for communication and other activities like banking or shopping online, it is important for us all to remain vigilant about keeping our devices secure. It is essential for manufacturers as well as consumers alike to prioritize mobile device security during production and use respectively – especially when it comes to prepaid Android carrier devices – which are still vulnerable out of the box.
The world of digital security is ready to evolve beyond distrust. We want less fear, and more peace of mind: less worry, and more confidence. Quokka (formerly Kryptowire), is a different kind of digital security and privacy company. Our proactive, light-touch solutions put users and their privacy first, helping people, teams, and enterprises around the world take back control of their digital security and privacy in the new work and live anywhere world. Join us in being Quokka Secure.