Analysis by TU Graz:

Many manufacturers use insecure Android kernels

An analysis of smartphones from ten well-known manufacturers shows that the Android kernels used are vulnerable to known attacks - despite existing protection mechanisms. According to researchers at Graz University of Technology, this is often due to incorrect configuration.

Smartphones are a constant companion and important work tool for many people. In addition to contacts, appointments and emails, the devices are increasingly being used for sensitive tasks such as online banking or official matters. This increases the demands on security. As Lukas Maar, Florian Draschbacher, Lukas Lamster and Stefan Mangard from the Institute of Applied Information Processing and Communication Technology at Graz University of Technology have discovered in a comprehensive analysis of the Android kernels of the ten largest smartphone manufacturers, there are numerous flaws that allow one-day exploits with already known attack methods.

Depending on the manufacturer and model, only between 29 and 55 percent of the attacks tested by the research team could be prevented on the 994 smartphones examined. In contrast, the Generic Kernel Image (GKI) version 6.1 provided by Google was able to prevent around 85 percent of attacks. Compared to the GKI, the manufacturer kernels performed up to 4.6 times worse in terms of attack defense.

The research team examined devices launched on the market between 2018 and 2023 from the manufacturers Google, Realme, OnePlus, Xiaomi, Vivo, Samsung, Motorola, Huawei, Oppo and Fairphone (listed from most secure to least secure). The Android versions used on these smartphones ranged from version 9 to 14, the kernels covered the range from version 3.10 to 6.1, whereby manufacturers that rely on lower kernel versions "also offer less security", according to the TU in a statement.

Effective defense mechanisms rarely activated
Another key point of the analysis: there are already effective defenses for a number of the known attack methods, but they are rarely activated or incorrectly configured in the manufacturers' kernels. "As a result, even kernel version 3.1 from 2014 with all security measures enabled could provide better protection against known attacks than around 38 percent of the kernels configured by the manufacturers themselves," the researchers said.

They also found that low-end models from the manufacturers were around 24 percent more vulnerable than high-end models. An important reason for this was the loss of performance that additional security measures meant, which is why they often remained deactivated in low-end models to conserve resources.

"We hope that our results will help to ensure that more effective security measures can be found in manufacturers' kernels in the future, making Android more secure," says Maar. The results had been shared with the manufacturers investigated, and some had even released patches. Google itself emphasized that it is aware of the problem and wants to strengthen the integration of kernel security measures step by step. "However, it is up to the manufacturers whether they want to sacrifice performance for this."