Does connecting an android device via usb to a PC pose a risk if charging is selected?

Question

If an android device has some something malicious on it that can also target/affect PCs. And that device is connected to a PC via USB, by default it automatically chooses to start charging.

Is there any risk that anything could be transferred to the PC? As in, is it possible for a split second before it chooses the "Charging" setting that it allows some data transfer to the computer?

At work we are warned not to connect and USB devices to our computers but a colleague had told me that they charge their phone (Google Pixel - Android 9 Pie) via USB and since charging is chosen by default it's fine. While this seems totally logical wasn't sure if it was exactly true?

Answer 1

Theoretically, there is definitely a risk, though practically (with that specific phone), the risk is mitigated; regardless, no USB policy should mean no USBs of any kind are plugged into the computer (not just flash drives). What's preventing the phone from acting just as if it's a flash drive (hint: it's the software) - they're communicating through the same port and data lines.

1. You are assuming the phone's manufacturer is secure - Google hasn't tampered with the hardware, OS or firmware
2. You are assuming the phone's OS is secure - Android doesn't act maliciously and is bug free.
3. At a nation state/APT level, you are assuming there are no zero-days exploits (take a look at Stuxnet)

TLDR: no USBs of any kind should be plugged in.

Answer 2

The feature in the screenshot is intended for protecting the phone from PCs and chargers. However, at least on the android 9/Pie device I borrowed, it is still recognized by windows as a MTP device that exports no volumes.

The question is unclear whether the phone or the PC is to be protected.

• If you want to protect the phone from malware on the PC: Maybe.
• If you want to protect the PC from malware on the phone: No, malware can do anything, "it's just software"

Answer 3

See https://www.techrepublic.com/article/free-charging-stations-can-hack-your-phone-heres-how-protect-yourself/ and https://securityaffairs.co/wordpress/75644/hacking/usbharpoon-attack.html. These don't explicitly mention Android, but there can be no guarantees.

Charging protocol itself employs some data exchange (which depends on the phone manufacturer), to provide 'smart charging' that improves battery life. To what extent this protocol may be hacked, depends (again) on the manufacturer. That's why branded chargers may be more efficient than generics.

It should be noted, that a malicious USB source can abuse such protocol, not to hack the phone, but to damage the battery.

You can choose to physically disconnect the 'data' lines of the USB, e.g. use a charge-only USB cable (with 2 wires instead of four). But such setup will be less healthy for your battery.