Academic researchers from Universidad Carlos III de Madrid have discovered such an array of vulnerabilities in Android smartphones that owners might want to cast their devices away with alarm.

The study analyzed 82,501 apps that were pre-installed on 1,742 Android smartphones and sold by 214 vendors. Although not using these words the researchers basically said security and privacy on pre-installed applications is a mess.

The study is one of the most thorough of its kind, and included both an analysis of device firmware, app behavior and the internet traffic the apps generated. The findings are damning.

Deeply intrusive

  • Many of the pre-installed apps have access to very intrusive permissions out of the box, collect and send data about users to advertisers and have security flaws that often remain unpatched. 
  • Many can't be removed and also use third-party libraries that secretly collect user data from within benign-looking and innocently-named applications.

Dubious origins

  • Several hundred pre-installed apps were signed with certificates that were either self-signed, or featured an "Issuer" field that contained generic terms such as "Android" or "Android Debug" (42 apps). These types of generic certificates make it impossible to find out who developed these apps. 
  • Some pre-installed apps were signed with certificates belonging to companies known to engage in user tracking such as Adups, AccuWeather and GMobi.

Privacy horrors

  • The vast majority of pre-installed apps were coded to access device logs, get a list of local installed apps, get network settings or have the ability to run native code. 
  • Nearly 7,000 apps left internal components exposed to external queries by other apps installed on the same device. This exposes all their functions and permissions to lower-privileged apps which is a well-documented attack vector for hackers. 
  • Some apps had hardware and network fingerprinting capabilities often collected under the term 'device capability.' Some apps also had analytics services that track the installation and removal of apps while some were able to collect and send email and phone call metadata.

These findings are in a sense the tip of the iceberg given the technical skullduggery that these apps engage in. For instance the researchers also found a secretive data collection service inside a FOTA (firmware-over-the-air) update mechanism developed by Redstone Sunshine Technology.
  • The app includes a service that can collect and disseminate dozens of data items, including both user and device identifiers, behavioral information such as SMS and calls sent and received, and statistics about network flows and usage statistics and performance information preinstalled package. 
  • The data collected is incredibly extensive and not anonymous at all as it’s linked to multiple user and device identities.

The researchers will present more details of their findings at an IEEE Symposium on Security and Privacy in San Francisco, late May 2019.

What to do?

The extent to which the pre-installed apps leave Android users vulnerable is horrendous.  To protect against malware it’s suggested that users install antivirus software. A free version of BullGuard Mobile Security is available. A version with parental controls is available at low cost. To protect data it’s recommended that a VPN is used. This will stop the apps from tracking your online movements.