Several dozen budget smartphones are vulnerable to being hacked, thanks to an issue with an app bundled with the UNISOC chipset that powers the handsets.
"The vulnerability allows intruders to access call and system logs, text messages, contacts, and other private data, video record the device's screen or use the external-facing camera to record video, or even take control of the device remotely, altering or wiping data," said McLean, Virginia-based mobile-security firm Kryptowire, which discovered the flaw.
The vulnerability exists on phones using the UNISOC SC9863A chipset, which includes many phones that cost about $100 or less such as the Nokia C20, C20 Plus and C30, the upcoming Nokia C21 and C21 Plus, the Motorola Moto E6i and E7i Power, the Lenovo A7 and K13, the ZTE Blade E-series, the Realme C11 and even the Samsung Galaxy A03 and A03 Core.
Most Android phones sold in the United States use Qualcomm chipsets, with some budget phones using cheaper MediaTek silicon instead. But in parts of the developing world, where $100 is a lot of money, even more affordable chipsets like those made by Shanghai-based UNISOC have a big market share.
More complete lists of phones that use the UNISOC SC9863A chipset can be found here (opens in new tab), here (opens in new tab) and here (opens in new tab).
How the flaw can be exploited
Kryptowire was initially cryptic about where exactly the vulnerability lies on the UNISOC chipset and how an attacker might exploit it. But after we asked some specific questions, a Kryptowire spokesperson passed along that the flaw "lies within a pre-installed app, authored by UNISOC, that comes bundled with some of their system-on-a-chip models on a range of Android vendor devices."
That pre-installed UNISOC app appears to have system-wide privileges and will execute commands sent to it by other apps, without authentication.
By sending the UNISOC app specific commands, a malicious app downloaded by the phone's user, or an app installed by a handset maker or wireless carrier before the phone reaches the user, could take over the phone.
"The flaw cannot be exploited completely remotely (unless it is directly exposed to the internet without NAT [a routing protocol]), although it does not require any user interaction beyond downloading an app," Kryptowire told us.
"It is theoretically possible for a separate pre-installed app used in a supply chain attack scenario to exploit the vulnerability remotely."
What to do about this
Installing one of the best Android antivirus apps might stop a malicious app from being downloaded, but it might not be as effective against a malicious app that was already on the phone.
Suffice it to say that if you've got one of these phones, contact the phone maker and your wireless carrier and ask if they've done anything about this flaw. If not, then stop using the phone until they do.
If you need a replacement handset, you could choose a device from our list of the best budget phones, although most cost a bit more than $100.
A Kryptowire spokesperson told us that Nokia had fixed the flaw on its affected phones, and that France-based multinational wireless carrier Orange had as well.
They added that Kryptowire informed UNISOC, handset makers and wireless carriers of the flaw in December 2021, and that UNISOC had yet to respond.