Coalition seeks to give users more control over the apps that appear on their devices
Privacy International is calling on Google to take action against pre-installed Android software – a move which could spark change across the multi-stakeholder mobile app landscape.
In a letter penned last week by the human rights campaign group and a coalition of more than 50 other non-profit organizations, Privacy International said that mobile vendors were being allowed to sell smartphones containing exploitative software under the Android brand name.
Certain pre-installed apps are collecting user data without permission, Privacy International said, and are typically targeting vulnerable populations due to their low purchasing cost.
“These pre-installed apps can have privileged custom permissions that let [the developers] operate outside the Android security model,” the letter states.
“This means permissions can be defined by the app – including access to the microphone, camera and location – without triggering the standard Android security prompts.
“Users are therefore completely in the dark about these serious intrusions,” it added.
Bloatware security dangers
The open nature of the Android operating system (OS) means that any device vendor can modify certain aspects of the platform to suit the needs of its product. This includes the ability to select which apps come pre-installed in a consumer’s phone.
Many of these apps – such as those bundled in Google Mobile Services (GMS) – benefit consumers and assist with the phone’s functionality.
Multiple cases, however, demonstrate security inconsistencies in the Android supply chain.
In 2017, for instance, the security firm Check Point Software Technologies found that Loki malware had been pre-installed in 36 Android devices manufactured by two different companies.
Loki, which was not included in the official read-only memory supplied by the unnamed vendor, was disguised as adware and had the ability to siphon user data and escalate privileges on the infected device, Check Point said.
Compromised models reportedly included the Samsung Galaxy S7, LG Nexus 5, and ZTE X500.
“Pre-installed malware compromise the security even of the most careful users,” Check Point said in a blog post at the time.
“In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed.”
Hopping over the walled garden
According to a recent paper (PDF) exploring the pre-installed Android software market, researchers suggest that only 9% of pre-installed apps studied appear in Google Play, the official app store for Android.
“The low presence of pre-installed apps in the store suggests that this type of software might have escaped any scrutiny by the research community,” the paper, said to be the first analysis of the pre-installed software ecosystem, states.
The researchers also allude to the unmatched security checks of Google Play and Google Play Protect, the tech giant’s app malware scanner, as pre-installed apps publicized on the platform receive frequent updates.
“74% of the non-public apps do not seem to get updated and 41% of them remained unpatched for 5 years or more,” the paper said.
“If a vulnerability exists in one of these applications, the user may stay at risk for as long as they keep using the device.”
The study, published in May 2019, analyzed Android pre-installed software from over 200 vendors, looking at factors like app third-party services, permissions, and the presence of malware.
“Overall, the supply chain around Android’s open source model lacks transparency and has facilitated potentially harmful behaviors and backdoored access to sensitive data and services without user consent or awareness,” the paper said.
Handing control to users
Pre-installed apps, commonly referred to as ‘bloatware’, are defined by the app developer or manufacturer, with consideration to the security guidelines of the Android Open Source Project.
Any device that gets shipped with Google’s suite of apps installed – the Play Store, YouTube, Gmail, and so on – receives Play Protect certification through the Android Certified Partners program.
Privacy International maintains that users should be given the option to remove pre-installed apps and background services from their device, particularly as harmful apps are circumventing Android security checks at various points throughout the development process.
“We’re looking specifically at Google’s certified partners, which are companies that Google certify and allow to use the Play Protect and Android branding to help them sell phones,” a spokesperson from Privacy International told The Daily Swig.
“Essentially we want people to be able to control what’s on their phone.”
Removing pre-installed software from a device currently requires a user to root their smartphone This automatically voids its warranty and may serve to open the door to yet more security risks.
The Daily Swig has reached out to Google for comment.