Researchers only “scratching the surface” of a pervasive Android bloatware issue
Pre-installed Android apps for third parties pose security and privacy risks
Researchers have discovered a dangerous trend concerning Android phone manufacturers whereby third-parties will pay to install pre-loaded apps containing potentially harmful code.
These third parties could be mobile network operators or other third-party advertising companies which will install different apps at the supply chain level so manufacturers can squeeze a little extra revenue out of each device sold.
The most dangerous cases where when malware was actually installed from these proprietary apps introduced by third parties. The researchers noted that such infections typically occurred in the low-end range of phones, but it was also evident in some high-end phones too.
"We identified variants of well-known Android malware families that have been prevalent in the last few years, including Triada, Rootnik, SnowFox, Xinyin, Ztorg, Iop, and dubious software developed by GMobi," read the research paper.
"According to existing AV reports, the range of behaviours that such samples exhibit encompass banking fraud, sending SMS to premium numbers or subscribing to services, silently installing additional apps, visiting links, and showing ads, among others."
In addition to the malware-laden apps, researchers found that many apps also had access to personally identifiable information (PII) and these appeared to distribute said information to third parties.
Other intrusive behaviours observed include apps being able to collect and distribute email and phone call metadata to third parties; this data could include contact details and recipients which can inform leads used by marketers.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The data analysed by university researchers from the US and Spain was based on information provided by 2,748 volunteers using 1,742 different Android devices.
It's not just security issues that Android users are facing, the researchers point to a much wider chain of partnerships between handset vendors, network carriers, analytics services and online services such as Skype and Dropbox.
These far-reaching partnerships "suggest and in some cases confirm" instances where the companies you trust the most, namely Samsung, Huawei and Sony are knowingly granting permissions which circumvent Android's prevention of apps accessing sensitive data to third-party apps.
For example, Chinese tech giant Baidu's geo-location permission can be exposed and circumvented by third-party apps, meaning your location data could be accessed by an app which you didn't explicitly approve.
Facebook has also been found to download other associated software such as Instagram after permissions were circumvented in 24 Android vendors including Samsung, Asus, Xiaomi, HTC, Sony and LG.
The researchers say that after a full year, they've only just begun to scratch the surface of a much wider issue surrounding the Android device supply chain and the effect it's having on user security and privacy.
In terms of how to rectify the situation, the researchers speculate on a few possibilities. "Google might be a prime candidate for it given its capacity for licensing vendors and its certification programs."
"Alternatively, in absence of self-regulation, governments and regulatory bodies could step in and enact regulations and execute enforcement actions that wrest back some of the control from the various actors in the supply chain."
Google's Play Protect is Android's built-in malware protection against nefarious apps and is "backed by the strength of Google's machine learning algorithms, it is always improving in real time", according to its web page.
We approached Google for comment on the extent to which Play Protect can mitigate the threats imposed by these pre-installed apps but it did not immediately reply to our emails.
The discovery highlights the prevailing issue with Android apps both proprietary and downloaded from the Google Play store where security and privacy issues run rife.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.