Google researchers suggest Android OEMs add vulnerable code

November 4, 2015

Security researchers at Google have discovered that Android manufacturers don’t do much to improve the security of the ecosystem, especially if they’re adding custom skins and software to the operating system.

The team at Google analyzed Samsung’s Galaxy S6 Edge, running Android 5.1 with TouchWiz, and found 11 “high-impact security issues” that were relatively easy to find during a week’s work. The idea was to see how an OEM device differs from a Nexus device running stock Android in its security, and the results shouldn’t come as a huge surprise.

One of the vulnerabilities the researchers discovered in the S6 Edge related to a process that scanned for and automatically unzipped a file in a certain location. Samsung wasn’t verifying the file path, however, which allows an attacker to write files to an unexpected system location.

Read More