Your Chinese Smartphone Might Have A Serious Security Problem

Ads by Google

The allure of a cheap smartphone can be hard to resist, especially as they’re now almost as capable as more expensive models. It’s for this reason why formerly-unknown Chinese manufacturers like Huawei and Xiaomi are rapidly overtaking more established, premium manufacturers, like Samsung, Sony, and even Apple.

But, as in all things, you get what you pay for. A recently discovered vulnerability in many budget Chinese handsets, which could allow an attacker to gain root access, proves that modus. Here’s what you need to know.

Understanding The Attack

Many phones run SoCs (System on Chip) built by Taiwanese-based MediaTek, who are one of the largest semiconductor manufacturers in the world. In 2013, they produced a phenomenal 220 million smartphone chips. One of their biggest sellers is the MT6582, which is used in a number of low-end smartphones, with many of them produced by Chinese manufacturers like Lenovo and Huawei.

The MT6582 came with a debug setting enabled, which according to wthe manufacturer, was used to test “telecommunications interoperability” in China.

While this was necessary for MediaTek to actually design the chip, and to ensure it works properly, leaving it on a consumer device represents an incredible security risk to consumers. Why? Because it allows an attacker, or a malicious piece of software, to gain root access to the phone.

Ads by Google

From this, they would be able to modify and delete important system files and settings, spy on the user, and install yet more malware without the user’s consent. If an attacker wanted, they could even brick the phone, rendering it permanently unusable.

According to The Register, this vulnerability can only be executed on phones running version 4.4 KitKat of the Android Operating system.

The discovery of this vulnerability follows a similar flaw found in the OS keychain of version 3.8 of the Linux Kernel, which was disclosed by researchers in January. When exploited, this vulnerability would have allowed an attacker to gain root access of the machine.

This vulnerability affected virtually every distribution of Linux, as well as a plurality of Android phones. Thankfully, a fix was swiftly issued.

Put Down Your Pitchforks

Although phones from the likes of Lenovo and Huawei are especially affected, you shouldn’t blame them. Even though it might seem appealing, given some of these manufacturers have a history of security-related improprieties.

Lenovo is especially guilty of this. In 2014, they broke SSL for all of their users with SuperFish. Then they burdened their laptops with unremovable, BIOS-based malware. Then they installed a creepy, Big Brother-esque analytics program on their high-end ThinkPad and ThinkCenter desktops.

But here, their hands are clean. For once. The blame lies squarely at the door of MediaTek, who shipped these chips to manufacturers with this setting enabled.

Am I Affected?

It’s worth pointing out that this vulnerability won’t have the same reach as the aforementioned Linux vulnerability. The vulnerability is only found on phones running on a chipset which didn’t ship on any phones released in 2015 and 2016.

It can also only be executed on phones running a very specific version of Android, which despite running on around one-third of Android phones, is by no means ubiquitous.

Despite that, it’s probably a good idea to check whether your phone is vulnerable. As it so happens, I own a budget Chinese phone – a Huawei Honor 3C, which was my main device until I jumped ship to Windows Phone in August.

HuaweiHonorC3

First things first, I looked up the device on GSMArena. This is essentially the Encyclopedia Britannica of phones. If a major manufacturer released it, this website will provide thorough statistics about it. Information about the chipset used can be found underneath Platform. Sure enough, my Huawei phone contains it.

MediaTekGSMArena

So, then I need to see whether I am running the affected version of Android. I opened Settings, and then tapped About Phone. This might be a bit different for your phone though. Manufacturers are known for customizing the settings menu.

Settings

Fortunately, my phone is running Android 4.2 Jellybean, which despite being long in the tooth, isn’t affected by this vulnerability.

If You Are Affected

While I was rather lucky, it’s safe to assume millions of phones will be affected by this. If you are, you’d be wise to purchase a new phone.

The Motorola Moto G is a great budget phone, produced by a manufacturer you can trust. You can get one on Amazon for just $110. As an added bonus, Motorola are rather speedy when it comes to issuing software updates, which Huawei is definitely not.

If you can’t afford to upgrade, you’d be wise to make some simple security precautions. First, try to avoid downloading software from disreputable sources. Avoid downloading pirated apps and warez like the plague. Stick to the Google Play store.

It’s likely that many of the affected users will be based in China, where the Google Play store isn’t available. Chinese consumers have to make do with other alternative app stores, many of which aren’t as vigilant at filtering malware out as Google is. Those consumers would be advised to be extra careful.

In Short: Be Afraid, But Don’t

This vulnerability is scary. It’s scary because it’s borne from how a particular piece of hardware is configured. It’s scary because there are no steps a consumer can take in order to stay secure.

But it’s worth emphasizing that the majority of consumers won’t be affected. It only affects a limited number of devices, which were released by a handful of manufacturers around 2013 and 2014. Most people should be fine.

Were you impacted? If so, will you get a new phone? Or are you not all that concerned? Let me know in the comments below.

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Stay Incognito On The Web
Stay Incognito On The Web
953 Members
Best Android Apps
Best Android Apps
921 Members
Android Rooting & ROMs
Android Rooting & ROMs
647 Members
Online Security Tips
Online Security Tips
420 Members
Android OS Tips
Android OS Tips
413 Members
Tips for Privacy Obsessed
Tips for Privacy Obsessed
293 Members
Best Android Phones
Best Android Phones
268 Members
Best Android Games
Best Android Games
248 Members
Android Helpdesk
Android Helpdesk
218 Members
New Security Breaches
New Security Breaches
205 Members
Affiliate Disclamer

This article may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
New comment

Please login to avoid entering captcha

Log In