For most people, pre-installed phone software is a minor annoyance rather than a risk. It can be a lot more damaging than that though, and researchers from Kryptowire say they’ve have found 25 Android devices that come with vulnerabilities pre-installed.
Presenting their findings at the DEFCON hacker conference last week, the researchers revealed a surprising 38 different weaknesses right out of the box for phones from major manufacturers including Sony, LG, Essential, Asus and ZTE.
Related: Best Android phones
“All of these are vulnerabilities that are prepositioned,” said Angelos Stavrou, CEO of Kryptowire at the conference earlier this month. “They come as you get the phone out the box. That’s important because consumers think they’re only exposed if they download something that’s bad.”
The most high-profile device highlighted was the LG G6, which, the researchers said, had three vulnerabilities, including one where an owner could be locked out of their phone, even in safe mode forcing a factory reset.
Meanwhile, a pre-installed Essential Phone app had a vulnerability which could allow any other app to wipe all the phone data via a factory reset. The Sony Xperia L1 and Nokia 6 TA-1025, meanwhile, had a weakness that could allow outsiders to take screenshots.
The Asus ZenFone 3 Max was arguably worst affected, according to the researchers. It was vulnerable to an exploit which could have allowed hackers to install any app, gather Wi-Fi passwords, install keyloggers, intercept text messages and make phone calls, they said.
Kryptowire disclosed the vulnerabilities to affected vendors, and patches have either already been deployed or are currently being worked on.
Related: Best smartphone
But it’s important to note that this doesn’t wrap up the story. The real take-home is that these handsets had vulnerabilities pre-installed, and this is very likely just the tip of the iceberg.
With literally thousands of Android devices out there, it’s just not realistic for researchers to analyse every single one on the off-chance that the manufacturers have waved through possible vulnerabilities.
Are you worried about built-in Android vulnerabilities? Let us know on Twitter: @TrustedReviews