If you think brand new Android smartphones are immune from security vulnerabilities, think again – a new analysis by security company Kryptowire uncovered 146 CVE-level flaws in devices from 29 smartphone makers.

Without studying all 146 in detail, it’s not clear from the company’s list how many were critical flaws, but most users would agree that 146 during 2019 alone sounds like a lot.

The sort of things these might allow include the modification of system properties (28.1%), app installation (23.3%), command execution (20.5%), and wireless settings (17.8%).

Remember, these devices, which included Android smartphones made by Samsung and Xiaomi, had never even been turned on, let alone downloaded a dodgy app – these are the security problems shipped with your new phone, not ones that compromise the device during its use.

The culprit is a range of software specific to each manufacturer, installed in addition to Android itself or its Google applications.

But in common with Android and Google applications, these can’t be de-installed. The only way to patch one of these flaws is for the smartphone maker to be told about the issue and to issue a fix.

Factory soiled

We’ve been here before, of course. In August 2019, Google Project Zero researcher Maddie Stone gave a presentation at Back Hat to highlight the issue of malware she and her colleagues had discovered being installed on Android devices in the supply chain.

While this related to software deliberately installed to do bad things rather than vulnerable software, the effect from the user’s point of view is that they are exposed without realising it.

In one example, the Chamois SMS and click fraud botnet managed to infect 21 million devices. Even after a concerted clean up, two years later it was still clinging to the devices of nearly 7.4 million victims.