The loaders of the Android operating system from five mobile processor manufacturers have found vulnerabilities that violate the process of trusted downloads and endanger the safety of users.

The problems were discovered by a team of researchers at the University of California during the study of Android hardware loaders. These components attracted the attention of researchers, since their analysis is extremely difficult due to the lack of familiar metadata and closed source code.

The purpose of the study was to create a BootStomp tool for testing and analyzing loaders. With its help, scientists discovered seven vulnerabilities - six previously unknown and one known (CVE-2014-9798). Of the six new vulnerabilities, manufacturers confirmed five. Some of them allow executing the code during the download process or causing permanent denial of service. Using two more vulnerabilities, an attacker with superuser privileges on the OS can unlock the device and disrupt the trusted boot process.

Vulnerabilities are affected by the following products:.

-Chipset Huawei / HiSilicon (used in devices Huawei P8 ALE-L23);.

-Chipset NVIDIA Tegra (used in devices Nexus 9);.

-Chipset MediaTek ((used on Sony Xperia XA devices);.

-New loader Qualcomm LK; Old Qualcomm LK boot loader.

Trusted loading - loading operating systems only from predefined permanent media (for example, only from a hard disk) after the successful completion of special procedures: checking the integrity of the hardware and software of the PC (using the stepwise integrity control mechanism) and hardware authentication / user authentication.