Google company the initiative , within which it is planned to disclose data about vulnerabilities in Android devices of various OEMs. The initiative will make it more transparent to inform users about vulnerabilities specific to firmware with modifications from third-party manufacturers.
So far, the official Android Security Bulletins have only reported issues in the core code proposed in the AOSP repository, not issues specific to modifications from OEMs. Already the problems affect manufacturers such as ZTE, Meizu, Vivo, OPPO, Digitime, Transsion and Huawei.
Among the issues identified:
- In Digitime devices, instead of checking additional permissions to access the API of the OTA update installation service a hardcoded password that allows an attacker to quietly install APK packages and change the access rights of the application.
- Popular with some OEMs as an alternative browser password manager in the form of JavaScript code that runs in the context of each page. A site controlled by the attacker could gain full access to the user's password storage, which was encrypted using the unreliable DES algorithm and a hard-wired key.
- System UI app on Meizu devices additional code from the network without encryption and connection verification. By controlling the victim's HTTP traffic, the attacker could run his code in the application context.
- Vivo devices had the checkUidPermission method of the PackageManagerService class to grant additional permissions to some applications, even if these permissions are not specified in the manifest file. In one version, the method granted any permissions to applications with the id com.google.uid.shared. In another version, package names were checked against a list to grant permissions.
Source: opennet.ru