Attacks on Android-Based Smartphones and Impact of Vendor Customization on Android OS Security

Smartphones are ubiquitous today, and they contain a large amount of personal and sensitive information. It is, therefore, essential to secure the underlying operating system. Android is the dominant operating system among the smartphone market; therefore, it is critical to uphold the security standards of Android. Android smartphone manufacturers and third-party custom ROM developers modify the operating system heavily to differentiate themselves among the competitors. The modifications done by the Smartphone manufacturers and third-party custom ROM developers posses a threat to the smartphone user’s privacy and make the Android OS vulnerable to advanced persistent threat (APT) attacks. This paper demonstrates that Smartphone manufacturers and third-party custom ROM developers can bypass Android’s security mechanisms and breach the user’s privacy without getting detected by the user by modifying parts of Android OS except for the kernel. In particular, this paper shows methods by which APT attacks can be performed on the Android 10’s Camera subsystem to capture pictures from the camera and upload them to a remote server without the user’s knowledge.