Numerous Manufacturers Use Insecure Android Kernels

In an analysis of smartphones of ten manufacturers, researchers at TU Graz have found that the Android kernels used are vulnerable to known attacks – so-called one-day exploits – despite existing protection mechanisms.

Smartphones are a constant companion and important work tool for many people. In addition to contacts, appointments and emails, the devices are increasingly being used for sensitive tasks such as online banking or official matters. This increases the safety requirements. As Lukas Maar, Florian Draschbacher, Lukas Lamster and Stefan Mangard from the Institute of Applied Information Processing and Communications at Graz University of Technology (TU Graz) have discovered in a comprehensive analysis of the Android kernels of the ten largest and most well-known smartphone manufacturers, there are numerous flaws here that allow one-day exploits using already known attack methods. The researchers presented their findings on 15 August at the Usenix Security Symposium in Philadelphia, USA (https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf).

Depending on the manufacturer and model, only between 29 and 55 per cent of the 994 smartphones tested by the research team were able to prevent attacks. In contrast, the Generic Kernel Image (GKI) version 6.1 provided by Google would be able to prevent around 85 per cent of attacks. Compared to the GKI, the manufacturer kernels performed up to 4.6 times worse in defending against attacks. The research team analysed devices from these manufacturers that came onto the market between 2018 and 2023 (listing from the most secure to the least secure): Google, Realme, OnePlus, Xiaomi, Vivo, Samsung, Motorola, Huawei, Oppo und Fairphone. The Android versions used on these smartphones ranged from versions 9 to 14, while the kernels covered the range from versions 3.10 to 6.1, with manufacturers who rely on lower kernel versions also offering less security.

Effective defence mechanisms rarely activated

Another key point of the analysis is that there are already effective defences for a number of the known attack methods, but they are either rarely activated in the manufacturers’ kernels or the kernels are configured incorrectly. As a result, even kernel version 3.1 from 2014 with all security measures activated could provide better protection against known attacks than around 38 per cent of the kernels configured by the manufacturers themselves. The researchers also found that manufacturers’ low-end models were around 24 per cent more at risk than high-end models. One important reason for this is the loss of performance that additional security measures can cause, which is why they are often deactivated in low-end models to conserve resources.

“We hope that our results will help to ensure that more effective security measures can be found in manufacturers’ kernels in the future, making Android more secure,” says Lukas Maar. “We also shared our analysis with the manufacturers investigated and Google, Fairphone, Motorola, Huawei and Samsung have taken note – some have even released patches. We have also suggested that Google update the Android Compatibility Definition Document (CDD), which sets out the framework of requirements for devices to be compatible with Android. Google itself has emphasised that it is aware of the problem and wants to strengthen the integration of kernel security measures step by step. However, it is up to the manufacturers whether they want to sacrifice performance for this.”

This project was funded by the Austrian Research Promotion Agency (FFG) as part of the SEIZE project and is part of the Field of Expertise “Information, Communication & Computing”, one of the five strategic focus areas at TU Graz.

Wissenschaftliche Ansprechpartner:

Lukas MAAR
Dipl.-Ing., BSc, BSc.
TU Graz | Institute of Applied Information Processing and Communications
Tel.: +43 316 873 5578
lukas.maar@tugraz.at

Originalpublikation:

Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf

https://www.tugraz.at/en/tu-graz/services/news-stories/tu-graz-news/singleview/article/zahlreiche-hersteller-nutzen-unsichere-android-kernels